The ThreatFox: Unknown Stealer IOCs rule detects potential indicators of compromise associated with a previously unknown stealer malware, which may be used to exfiltrate sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before data exfiltration can occur.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 5 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | pinescope11.com | payload_delivery | 2026-05-26 | 100% |
| domain | breteamz.com | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://sites.google.com/view/xbrewmacboe | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://pinescope11.com/curl/80ee53d07eee377f78c6ecbc5b40b6936703eefcb6e40a79d7af80bb53d9f1a7 | payload_delivery | 2026-05-26 | 100% |
| url | hxxps://breteamz.com/ | payload_delivery | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["pinescope11.com", "breteamz.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://sites.google.com/view/xbrewmacboe", "https://pinescope11.com/curl/80ee53d07eee377f78c6ecbc5b40b6936703eefcb6e40a79d7af80bb53d9f1a7", "https://breteamz.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance job that uses a script containing a file path matching one of the IOCs.
Filter/Exclusion: Exclude files with file_path containing C:\Windows\System32\ or C:\Windows\SysWOW64\
Scenario: Antivirus Quarantine Scan
Description: An endpoint protection tool is quarantining a legitimate file that matches an IOC due to a false positive in its signature database.
Filter/Exclusion: Exclude files with process_name containing Antivirus or Malwarebytes and file_path containing Quarantine\
Scenario: Scheduled Backup Job
Description: A backup process is copying files to a network share, and the destination path matches an IOC associated with the stealer.
Filter/Exclusion: Exclude files with destination_path containing \\backup\ or \\nas\ and process_name containing backup or vss
Scenario: PowerShell Script for Configuration Management
Description: A PowerShell script used for configuration management (e.g., via SCCM or Ansible) is using a command-line argument that matches an IOC.
Filter/Exclusion: Exclude processes with process_name containing powershell.exe and command_line containing Configure-System or Ansible
Scenario: Log Collection Tool Using Known IOC
Description: A log collection tool (e.g., Splunk or ELK) is using a known IOC in its configuration to filter logs, causing a false positive.
Filter/Exclusion: Exclude files with file_path containing logs\ or Splunk\ and process_name containing `splunk