Adversaries may be using unknown webinject IOCs to inject malicious code into user sessions and exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and data compromise campaigns.
IOC Summary
Malware Family: Unknown Webinject Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | chinabowl.club | payload_delivery | 2026-06-08 | 100% |
| domain | lizablud.shop | payload_delivery | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Webinject
let malicious_domains = dynamic(["chinabowl.club", "lizablud.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup via Webinject
Description: A legitimate scheduled backup process uses a known webinject tool (e.g., wbadmin on Windows) to initiate a backup over the network.
Filter/Exclusion: Exclude traffic originating from known backup systems or processes (e.g., wbadmin, vssadmin, or specific service accounts used for backups).
Scenario: Admin Task: User Management via Webinject
Description: An administrator uses a webinject tool (e.g., PowerShell or Invoke-WebRequest) to perform routine user management tasks (e.g., adding users, resetting passwords).
Filter/Exclusion: Exclude traffic from admin accounts or processes associated with user management (e.g., Administrators group, UserManagement script names).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a known repository using a webinject method (e.g., curl, wget, or Invoke-WebRequest).
Filter/Exclusion: Exclude traffic from CI/CD agents or to known artifact repositories (e.g., artifactory, Nexus, or GitHub Packages).
Scenario: Network Monitoring Tool Data Collection
Description: A network monitoring tool (e.g., Wireshark, tcpdump, or PRTG) uses a webinject method to collect or send network data.
Filter/Exclusion: Exclude traffic from known monitoring tools or from specific IP ranges used by network monitoring systems.
Scenario: Legacy System Maintenance via Webinject
Description: A legacy system (e.g., an old ERP or CRM) uses a webinject method to perform maintenance tasks (e.g., patching, configuration updates).
*