Adversaries may be using unknown stealer malware to exfiltrate sensitive data by leveraging compromised credentials or network access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data theft before significant damage occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | health.hazelkit.one | botnet_cc | 2026-06-06 | 100% |
| domain | proxy.willowfleet.click | botnet_cc | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["health.hazelkit.one", "proxy.willowfleet.click"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task runs a script that downloads a file from a known benign source as part of a routine system update or patching process.
Filter/Exclusion: Exclude files downloaded from trusted internal repositories or known update servers (e.g., file.source == "internal-update-server.example.com").
Scenario: Admin Task Involving External Artifact Download
Description: An administrator uses a tool like PowerShell or curl to download a legitimate configuration file or script from an external repository (e.g., GitHub) for automation purposes.
Filter/Exclusion: Exclude files from known safe domains (e.g., file.domain == "github.com" or file.domain == "example.com").
Scenario: Use of a Known Stealer Tool in a Test Environment
Description: A red team or security team is testing a detection rule by intentionally running a known stealer (e.g., Cobalt Strike, Lazarus, or Covenant) in a sandboxed or isolated environment.
Filter/Exclusion: Exclude processes running in a test or lab environment (e.g., process.parent_process_name == "sandboxed-vm" or process.machine_name == "test-vm-01").
Scenario: Legitimate File Transfer via PowerShell for Backup
Description: A backup script uses PowerShell to transfer files to a remote server, which may involve downloading or uploading files that match IOCs due to their format or naming.
Filter/Exclusion: Exclude PowerShell scripts associated with known backup tools (e.g., process.name == "backup-script.ps1" or process.user == "backup-service").
Scenario: Use of a Malicious-Looking Tool for Legitimate Purposes
Description: A tool like