The detection identifies potential ACR Stealer activity through IOCs associated with command and control communication, indicating an adversary may be exfiltrating credentials from Azure Container Registry. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromise before data exfiltration occurs.
IOC Summary
Malware Family: ACR Stealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | wfv.floatpried.icu | botnet_cc | 2026-05-24 | 100% |
| domain | ggx-tn-connectir.unwittingdork.digital | botnet_cc | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ACR Stealer
let malicious_domains = dynamic(["wfv.floatpried.icu", "ggx-tn-connectir.unwittingdork.digital"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task using schtasks.exe runs a legitimate maintenance script that matches the IOC pattern.
Filter/Exclusion: Exclude processes associated with schtasks.exe where the command line includes known maintenance scripts (e.g., C:\Windows\System32\sched.exe with C:\Windows\System32\maintenance.bat).
Scenario: Admin using Process Explorer to debug a service
Description: An admin uses procmon.exe (Process Monitor) to investigate a service that matches the IOC pattern.
Filter/Exclusion: Exclude processes with procmon.exe or procexp.exe running in administrative contexts during known maintenance windows.
Scenario: Regular use of PowerShell for log analysis
Description: A system administrator runs a PowerShell script using powershell.exe to analyze logs, which inadvertently matches the IOC pattern.
Filter/Exclusion: Exclude processes where the command line includes -File and a known admin script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\scripts\log_analyzer.ps1).
Scenario: Deployment of a legitimate third-party tool with similar artifacts
Description: A legitimate security tool (e.g., CrowdStrike Falcon or Microsoft Defender ATP) is installed and its components match the IOC pattern.
Filter/Exclusion: Exclude processes from known security tools by checking the process name or parent process against a whitelist of trusted security software.
Scenario: Use of a legitimate configuration management tool
Description: A configuration management tool like Ansible or Puppet runs a task that generates files matching the IOC pattern.
Filter/Exclusion: Exclude processes associated with configuration management tools (e.g., ansible.exe,