Adversaries may be using unknown webinject IOCs to inject malicious code into user sessions and exfiltrate sensitive data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate potential web-based attacks before they cause significant damage.
IOC Summary
Malware Family: Unknown Webinject Total IOCs: 5 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | comicstar.lat | payload_delivery | 2026-05-26 | 100% |
| domain | lsikjsns.beer | payload_delivery | 2026-05-26 | 100% |
| domain | createbeer.beer | payload_delivery | 2026-05-26 | 100% |
| domain | visual-ns-portal.beer | payload_delivery | 2026-05-26 | 100% |
| domain | chekbrow.beer | payload_delivery | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Webinject
let malicious_domains = dynamic(["comicstar.lat", "lsikjsns.beer", "createbeer.beer", "visual-ns-portal.beer", "chekbrow.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may include URLs or scripts that resemble webinject IOCs due to the use of temporary or staging URLs.
Filter/Exclusion: Exclude processes initiated by the rsync binary or tasks scheduled via cron with known backup directories.
Scenario: Admin Task Using curl for API Testing
Description: System administrators may use curl to test internal APIs, which could include URLs that match the pattern of webinject IOCs.
Filter/Exclusion: Exclude processes initiated by user accounts with admin privileges or where the command line includes -k or --insecure flags for testing purposes.
Scenario: Log Collection via logrotate with External Scripts
Description: The logrotate utility may execute external scripts or use temporary URLs for log aggregation, which could trigger the rule.
Filter/Exclusion: Exclude processes initiated by the logrotate service or scripts located in the /etc/logrotate.d/ directory.
Scenario: CI/CD Pipeline Using curl for Artifact Download
Description: Continuous integration pipelines often use curl to download artifacts from private repositories, which may include URLs that match the rule’s IOC patterns.
Filter/Exclusion: Exclude processes initiated by CI/CD agents (e.g., Jenkins, GitLab CI) or where the URL domain matches known internal artifact repositories.
Scenario: Web Application Deployment Using wget with Temporary Files
Description: Deployment scripts may use wget to download configuration files or dependencies, which could include URLs that resemble webinject IOCs.
Filter/Exclusion: Exclude processes initiated by deployment scripts or where the URL path contains known deployment directories (e.g., /deploy/, `/config