ThreatFox: Unknown Loader IOCs

Hunt Hypothesis

The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving unknown loaders, which are often used to deliver malicious payloads or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may bypass traditional detection mechanisms.

IOC Summary

Malware Family: Unknown Loader Total IOCs: 2 IOC Types: domain

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Loader
let malicious_domains = dynamic(["horsefriend.cfd", "knowledgeairplane.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

References

• ThreatFox — Unknown Loader

False Positive Guidance

• Scenario: Scheduled system maintenance using schtasks.exe to run a legitimate cleanup script
  Filter/Exclusion: process.parent_process == "schtasks.exe" && process.command_line contains "schtasks" && process.command_line contains "/create"

• Scenario: Running a legitimate system diagnostic tool like msconfig.exe or taskmgr.exe
  Filter/Exclusion: process.name == "msconfig.exe" || process.name == "taskmgr.exe"

• Scenario: Using PowerShell.exe to execute a scheduled administrative task (e.g., powershell.exe -Command "Get-EventLog" )
  Filter/Exclusion: process.name == "powershell.exe" && process.command_line contains "Get-EventLog" || process.command_line contains "Get-WinEvent"

• Scenario: Executing a legitimate system update or patching tool like wusa.exe
  Filter/Exclusion: process.name == "wusa.exe" && process.command_line contains "install" || process.command_line contains "update"

• Scenario: Running a legitimate third-party monitoring tool (e.g., Nagios, Zabbix, or SolarWinds) that uses IOCs for internal reporting
  Filter/Exclusion: process.name contains "nagios" || process.name contains "zabbix" || process.name contains "solarwinds"