The detection identifies potential ACR Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating credentials from Azure Container Registry. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromise in their Azure Sentinel environment.
IOC Summary
Malware Family: ACR Stealer Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | rept.seescanf.cc | botnet_cc | 2026-05-26 | 100% |
| domain | lopp.hitnoop.cc | botnet_cc | 2026-05-26 | 100% |
| domain | hertzfigblob.icu | botnet_cc | 2026-05-26 | 100% |
| domain | td.distributedruntimehub.surf | botnet_cc | 2026-05-26 | 100% |
| domain | laserlogdnsop.icu | botnet_cc | 2026-05-26 | 100% |
| domain | ht.overpassheader.surf | botnet_cc | 2026-05-26 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ACR Stealer
let malicious_domains = dynamic(["rept.seescanf.cc", "lopp.hitnoop.cc", "hertzfigblob.icu", "td.distributedruntimehub.surf", "laserlogdnsop.icu", "ht.overpassheader.surf"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Windows Update Scheduled Task
Description: A scheduled task created by Windows Update that downloads and executes a legitimate update package, which may be falsely identified as ACR Stealer.
Filter/Exclusion: Exclude tasks with TaskName containing “Windows Update” or CommandLine containing wuauclt.exe.
Scenario: Microsoft Endpoint Detection and Response (EDR) Agent Installation
Description: The EDR agent installation process may involve downloading and executing a package that matches the ACR Stealer IOCs.
Filter/Exclusion: Exclude processes with ProcessName containing “Microsoft Monitoring Agent” or “Microsoft Intune”.
Scenario: System File Checker (SFC) Scan
Description: During an SFC scan, the system may temporarily execute files that match the IOC patterns used in the ACR Stealer detection.
Filter/Exclusion: Exclude processes with ProcessName containing “sfc.exe” or “dism.exe”.
Scenario: Legitimate Software Deployment via SCCM
Description: A software deployment via System Center Configuration Manager (SCCM) may include files that match the ACR Stealer IOCs due to similar file names or hashes.
Filter/Exclusion: Exclude processes with ProcessName containing “ccmexec.exe” or “smsutil.exe”.
Scenario: Admin Task for Log Collection and Analysis
Description: An admin task that collects and analyzes logs may involve executing scripts or tools that match the ACR Stealer IOCs.
Filter/Exclusion: Exclude processes with ProcessName containing “logparser.exe” or “PowerShell.exe” with a command line containing “log collection” or “analysis”.