The ThreatFox: Unknown Stealer IOCs rule detects potential indicators of compromise linked to a malicious stealer tool, which could be used to exfiltrate sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity before data exfiltration occurs.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]105[.]175[.]202:443 | botnet_cc | 2026-05-31 | 75% |
| url | hxxps://178[.]105[.]175[.]202/gate?mode=beacon | botnet_cc | 2026-05-31 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown Stealer
let malicious_ips = dynamic(["178.105.175.202"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.105.175.202"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://178.105.175.202/gate?mode=beacon"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Collection
Description: A scheduled task using logrotate or logrotate via cron is configured to rotate and compress log files, which may trigger the rule due to file system activity.
Filter/Exclusion: Exclude processes related to logrotate or logrotate in cron jobs by checking the command line arguments or using a filter like process.name != "logrotate".
Scenario: System Update via yum or apt
Description: A system update process using yum or apt may involve temporary files or scripts that match the IOCs of the Unknown Stealer.
Filter/Exclusion: Exclude processes initiated by yum or apt using a filter like process.name IN ("yum", "apt") or check for the presence of update-related command-line arguments.
Scenario: Admin Task Using ps or top for Monitoring
Description: An administrator may use ps or top to monitor running processes, which could be flagged if the command line includes suspicious arguments.
Filter/Exclusion: Exclude processes where the command line includes ps or top by checking the process.name field or using a filter like process.name IN ("ps", "top").
Scenario: Legitimate Script Execution via cron for Data Backup
Description: A cron job running a backup script (e.g., rsync, tar, or cp) may involve file operations that resemble malicious activity.
Filter/Exclusion: Exclude cron jobs by checking the source field or using a filter like source.type == "cron".
Scenario: System Monitoring Tool Using auditd or sysdig
Description: Tools like auditd or