The ThreatFox: Unknown Stealer IOCs rule detects potential reconnaissance and exfiltration activities associated with a previously unknown stealer malware, leveraging suspicious network traffic and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | filicoto.cat | payload_delivery | 2026-06-26 | 100% |
| domain | finanstyle.site | payload_delivery | 2026-06-26 | 100% |
| domain | fasttrackpackage.online | payload_delivery | 2026-06-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["filicoto.cat", "finanstyle.site", "fasttrackpackage.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled task runs a script that uses a tool like Process Monitor or ProcMon to monitor system activity for troubleshooting.
Filter/Exclusion: Exclude processes or commands associated with ProcMon, Process Monitor, or sysmon if they are part of a known enterprise monitoring tool.
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An administrator uses PowerShell to analyze logs using scripts that may include commands resembling IOCs (e.g., Get-EventLog, Select-String).
Filter/Exclusion: Exclude PowerShell scripts that are known to be used by the enterprise’s internal log analysis tools (e.g., LogParser, PowerShell scripts in C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: Software Update or Patching Process
Description: A legitimate software update or patching process may involve downloading files from a known repository that matches the IOC pattern.
Filter/Exclusion: Exclude file hashes or IP addresses associated with enterprise software update servers (e.g., Windows Update, WSUS, or internal patch management tools).
Scenario: Use of a Legitimate Stealer Tool for Compliance Purposes
Description: A security team may use a known stealer tool (e.g., Cobalt Strike, Mimikatz) for red teaming or compliance testing.
Filter/Exclusion: Exclude processes or hashes associated with authorized red teaming tools if they are part of a sanctioned security testing program.
Scenario: Internal Tool for Data Exfiltration (Legitimate Use Case)
Description: An internal data exfiltration tool (e.g., scp, rsync, or curl) is used for transferring data between servers as part