The ThreatFox: Unknown Loader IOCs rule detects potential adversary activity involving an unknown loader, which may be used to execute malicious payloads or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could evade traditional detection methods.
IOC Summary
Malware Family: Unknown Loader Total IOCs: 3 IOC Types: sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | D25263FC9F895ED6FBC5F07AD009B87B2FE03D691C44E220CE37CE7042FFA9D9 | payload | 2026-05-27 | 75% |
| sha256_hash | C881253DAFCF1322A771139B1A429EC1E78C507CA81A218A20DC1A4B25ABBFE7 | payload | 2026-05-27 | 75% |
| sha256_hash | A8FFAB0B134E177655DD255F9B05296BB5CA7C40C5C1A2157DB81FC68B350FFD | payload | 2026-05-27 | 75% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown Loader
let malicious_hashes = dynamic(["D25263FC9F895ED6FBC5F07AD009B87B2FE03D691C44E220CE37CE7042FFA9D9", "C881253DAFCF1322A771139B1A429EC1E78C507CA81A218A20DC1A4B25ABBFE7", "A8FFAB0B134E177655DD255F9B05296BB5CA7C40C5C1A2157DB81FC68B350FFD"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a known tool like PowerShell.exe or task scheduler to perform system maintenance, which may trigger the rule due to IOCs in the script.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the Microsoft or System user context, or filter by CommandLine containing schtasks.exe or powershell.exe -Command.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PsExec or WMIC to remotely execute commands on a system, which may match the IOCs of the Unknown Loader.
Filter/Exclusion: Exclude processes started by PsExec, WMIC, or psexec.exe, or filter by User field matching an admin account with known privileges.
Scenario: Log Collection Job
Description: A log collection job using LogParser or Splunk might execute scripts that use IOCs similar to the Unknown Loader, especially if the script is parsing or moving log files.
Filter/Exclusion: Exclude processes with CommandLine containing LogParser.exe, Splunk.exe, or logman.exe, or filter by ProcessName matching known log management tools.
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) deployment might use tools like msiexec.exe or setup.exe to install software, which could trigger the rule due to similar IOCs.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or gpo.exe, or filter by User field matching a domain admin or GPO deployment account.
Scenario: Database Backup Job
Description: A database backup job using