The detection identifies potential ACR Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating credentials or sensitive data from Azure Container Registry. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromise before data is exfiltrated or further damage occurs.
IOC Summary
Malware Family: ACR Stealer Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | grok.seescanf.cc | botnet_cc | 2026-05-29 | 100% |
| domain | ani.hitnoop.cc | botnet_cc | 2026-05-29 | 100% |
| domain | uek.kernelshift.cc | botnet_cc | 2026-05-29 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ACR Stealer
let malicious_domains = dynamic(["grok.seescanf.cc", "ani.hitnoop.cc", "uek.kernelshift.cc"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Collection
Description: A scheduled job using logrotate or rsyslog is configured to rotate and archive system logs, which may include files matching the ACR Stealer IOC pattern.
Filter/Exclusion: Exclude files with the .log extension or files located in /var/log/ or /var/log/ subdirectories.
Scenario: Admin Task Involving File Copying
Description: An administrator is manually copying files between servers using scp or rsync for backup or migration, which may result in files matching the ACR Stealer IOC.
Filter/Exclusion: Exclude files with known backup patterns (e.g., backup_, snapshot_) or files transferred between specific IP ranges used for internal operations.
Scenario: Use of PowerShell for System Monitoring
Description: A legitimate monitoring script using PowerShell (e.g., PowerShell.exe) is executing commands that generate output resembling ACR Stealer IOCs.
Filter/Exclusion: Exclude processes with the powershell.exe executable and command lines containing Get-EventLog, Get-Service, or Get-Process.
Scenario: Software Update or Patch Deployment
Description: A patching tool like WSUS or SCCM is deploying updates, which may include files with names or hashes that match ACR Stealer IOCs.
Filter/Exclusion: Exclude files with known update patterns (e.g., *.msu, *.msp) or files located in the C:\Windows\Temp\ directory during update operations.
Scenario: Use of Docker for Containerized Applications
Description: A Docker container is running a legitimate application, and the container’s file system includes files that match ACR Stealer IOCs due