The ThreatFox: Unknown Stealer IOCs rule detects potential reconnaissance and data exfiltration activities associated with an unknown stealer malware, leveraging suspicious network connections and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an unknown adversary targeting sensitive data.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 151[.]243[.]113[.]33:9000 | payload_delivery | 2026-06-07 | 100% |
| ip:port | 151[.]243[.]113[.]33:443 | payload_delivery | 2026-06-07 | 100% |
| ip:port | 151[.]243[.]113[.]57:443 | payload_delivery | 2026-06-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown Stealer
let malicious_ips = dynamic(["151.243.113.33", "151.243.113.57"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.243.113.33", "151.243.113.57"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled job runs pslist.exe (part of the Windows Sysinternals toolkit) to monitor running processes as part of routine system health checks.
Filter/Exclusion: Exclude processes executed by PsTools or Sysinternals tools, or filter by process name like pslist.exe.
Scenario: Administrative Task Using Process Explorer
Description: An administrator uses procexp.exe (Process Explorer) to investigate high memory usage on a server, which may trigger the rule due to its process listing capabilities.
Filter/Exclusion: Exclude processes launched from the procexp.exe executable or filter by user account (e.g., Administrator or Domain Admins).
Scenario: Legitimate Use of PowerShell for Log Analysis
Description: A script runs Get-WmiObject or Get-EventLog to analyze system logs, which may resemble malicious activity due to the use of WMI or event log commands.
Filter/Exclusion: Exclude PowerShell scripts executed from known security tools or filter by command-line arguments like -ComputerName or -LogName.
Scenario: Antivirus or EDR Tool Scanning
Description: A security tool like CrowdStrike or Microsoft Defender performs a full system scan, which may include processes that match the IOC patterns of the unknown stealer.
Filter/Exclusion: Exclude processes associated with known EDR/AV tools or filter by process names like mpcmdrun.exe, CsiPolicyAgent.exe, or MsMpEng.exe.
Scenario: Legitimate Use of PsExec for Remote Management
Description: An IT administrator uses psexec.exe (from Sysinternals) to remotely execute commands on a server, which may trigger the rule due to the