The ThreatFox: Agent Tesla IOCs rule detects potential adversary activity associated with the Agent Tesla malware, which is known for stealing credentials and exfiltrating sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise organizational assets.
IOC Summary
Malware Family: Agent Tesla Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | e4a8efef165b15db21b9aa1fa13586119c9b433e | payload | 2026-06-17 | 95% |
| md5_hash | 1e0852887af0490bf192a9e7d06acf49 | payload | 2026-06-17 | 95% |
| sha256_hash | 07a018c6af370b03e0daa84a1dc214ab516fe9f6ce180e64248bc2682d550d9c | payload | 2026-06-17 | 95% |
| md5_hash | 0ad93109b547084f43fe09682c4825cb | payload | 2026-06-17 | 95% |
| sha256_hash | 5b7146ddfce30ff5d5c8215ba0ba68544726a03da31bf3074c4086587fda1370 | payload | 2026-06-17 | 95% |
| sha1_hash | 23795a745385b1444cfe8618603f623d686573f9 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Agent Tesla
let malicious_hashes = dynamic(["e4a8efef165b15db21b9aa1fa13586119c9b433e", "1e0852887af0490bf192a9e7d06acf49", "07a018c6af370b03e0daa84a1dc214ab516fe9f6ce180e64248bc2682d550d9c", "0ad93109b547084f43fe09682c4825cb", "5b7146ddfce30ff5d5c8215ba0ba68544726a03da31bf3074c4086587fda1370", "23795a745385b1444cfe8618603f623d686573f9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOCs due to the use of a common scripting tool like PowerShell or Python.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with a known name like SystemMaintenanceTask.
Scenario: Admin Performing Disk Cleanup via PowerShell
Description: An administrator uses PowerShell to clean up temporary files, which may include paths or commands that resemble malicious activity.
Filter/Exclusion: Exclude processes initiated by PowerShell.exe with a command line containing clean, delete, or remove.
Scenario: Backup Job Using rsync or robocopy
Description: A backup job using tools like rsync or robocopy may trigger IOCs due to file copying behavior similar to malware.
Filter/Exclusion: Exclude processes with command lines containing backup, rsync, or robocopy and check for known backup service accounts.
Scenario: User Running a Legitimate Malware Analysis Tool
Description: A security analyst runs a sandboxed environment like Cuckoo Sandbox or Joe Sandbox, which may generate IOCs that match Agent Tesla.
Filter/Exclusion: Exclude processes running under the user account Cuckoo or Sandbox and check for presence of sandbox detection markers.
Scenario: Legitimate Software Installation via MSI or EXE
Description: A legitimate software installation package (e.g., from Microsoft or a trusted vendor) may include files or registry entries that match the IOCs.
Filter/Exclusion: Exclude processes initiated by msiexec.exe or setup.exe and check for digital signatures or publisher information.