The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving unknown loaders, which are often used to deliver malicious payloads and evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent, sophisticated attacks.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bigfrogs.info | payload_delivery | 2026-06-15 | 100% |
| domain | strayweirds.info | payload_delivery | 2026-06-15 | 100% |
| domain | marmoteilefinance.com | payload_delivery | 2026-06-15 | 100% |
| domain | book-imagegallery.info | payload_delivery | 2026-06-14 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["bigfrogs.info", "strayweirds.info", "marmoteilefinance.com", "book-imagegallery.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file from a known internal repository, which coincidentally matches one of the IOCs in the rule.
Filter/Exclusion: Exclude files originating from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) or files signed by internal CA.
Scenario: Software Update via Microsoft Intune
Description: A company uses Microsoft Intune to deploy updates, and one of the update packages matches an IOC from the rule.
Filter/Exclusion: Exclude files with a known signature from Microsoft or files associated with the Intune service (e.g., process.name == "MicrosoftIntune").
Scenario: Admin Task Using PowerShell for Log Collection
Description: An administrator uses a PowerShell script to collect logs from multiple servers, which includes a file path or command that matches an IOC.
Filter/Exclusion: Exclude processes with user.name == "Administrator" or process.name == "powershell.exe" when running from a known admin script location.
Scenario: Backup Job Using Veeam or Acronis
Description: A backup job initiated by Veeam or Acronis temporarily writes to a directory that matches an IOC in the rule.
Filter/Exclusion: Exclude files with process.name == "veeam.exe" or process.name == "acronis.exe" and check for backup-related file patterns.
Scenario: Internal Threat Intelligence Feed Integration
Description: The organization uses an internal threat intelligence feed that occasionally includes benign files, which are mistakenly flagged by the rule.
*Filter/