The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 2 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://korpchehn.space/login | payload_delivery | 2026-04-18 | 100% |
| domain | korpchehn.space | payload_delivery | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["korpchehn.space"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://korpchehn.space/login"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a trusted source.
Filter/Exclusion: Exclude PowerShell scripts that execute against known update servers (e.g., update.microsoft.com, download.microsoft.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management task that includes a known benign file from a public repository (e.g., GitHub).
Filter/Exclusion: Exclude file hashes or URLs associated with known Ansible modules or public repositories.
Scenario: A database administrator is using SQL Server Agent to run a job that connects to a remote SQL server using a known IP address.
Filter/Exclusion: Exclude IP addresses associated with internal SQL Server instances or known database management systems.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes traffic to a known test environment.
Filter/Exclusion: Exclude traffic to internal test environments or known penetration testing domains (e.g., test.example.com).
Scenario: A system administrator is using Windows Task Scheduler to run a script that connects to a cloud storage service (e.g., Azure Blob Storage) for backup purposes.
Filter/Exclusion: Exclude connections to known cloud storage endpoints or scripts associated with backup processes.