The ThreatFox: ACR Stealer IOCs rule detects potential adversary activity associated with the ACR Stealer malware, which is known for exfiltrating credentials and secrets from Azure Container Registry. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage compromise attempts in their Azure Sentinel environment.
IOC Summary
Malware Family: ACR Stealer Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xzz.proxygrid.cc | botnet_cc | 2026-06-06 | 100% |
| domain | pmpo.cloudvector.cc | botnet_cc | 2026-06-06 | 100% |
| domain | gsk.scriptlattice.cc | botnet_cc | 2026-06-06 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ACR Stealer
let malicious_domains = dynamic(["xzz.proxygrid.cc", "pmpo.cloudvector.cc", "gsk.scriptlattice.cc"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using tar and rsync
Description: A backup process uses tar and rsync to archive and transfer system files, which may match the IOCs associated with ACR Stealer.
Filter/Exclusion: Check for presence of tar and rsync in the command line, and ensure the destination path is a known backup location (e.g., /backup/ or /var/backups/).
Scenario: Admin task using wget to download a trusted configuration file
Description: A system administrator uses wget to download a trusted configuration file from an internal server, which may be flagged due to the use of wget.
Filter/Exclusion: Filter by source IP (internal IP range) and verify the file hash against a known good hash stored in a central repository.
Scenario: Regular system update using apt and dpkg
Description: A package update process using apt and dpkg may trigger the rule due to the presence of suspicious command-line arguments or file paths.
Filter/Exclusion: Filter by process name (apt or dpkg) and check for known package repositories (e.g., http://archive.ubuntu.com).
Scenario: Logrotate job using gzip and mv
Description: A log rotation job uses gzip and mv to compress and move log files, which may match the IOCs of ACR Stealer.
Filter/Exclusion: Check for presence of log directories (e.g., /var/log/) and ensure the command is associated with a known log rotation script (e.g., /etc/logrotate.d/).
Scenario: Internal tool using curl to fetch internal API data