The ThreatFox: Agent Tesla IOCs rule detects potential command and control communication associated with the Agent Tesla malware, which is commonly used for data exfiltration and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage known malicious infrastructure.
IOC Summary
Malware Family: Agent Tesla Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 18b93f31c49e4302e3fd26764b6ad37a | payload | 2026-06-11 | 95% |
| sha256_hash | 9a04ce5c1ed6e353d8d8d936fefba4517ecc8f6777e5f866178dba084ae90d8a | payload | 2026-06-11 | 95% |
| sha1_hash | cf5058b0d233abf4abf55bd13597f9b07c5d2eed | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Agent Tesla
let malicious_hashes = dynamic(["18b93f31c49e4302e3fd26764b6ad37a", "9a04ce5c1ed6e353d8d8d936fefba4517ecc8f6777e5f866178dba084ae90d8a", "cf5058b0d233abf4abf55bd13597f9b07c5d2eed"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude files with the Task Scheduler service or files located in the C:\Windows\Tasks\ directory.
Scenario: Admin Performing Disk Cleanup or Log Rotation
Description: An administrator uses tools like Disk Cleanup or logrotate which may involve temporary files or scripts that match Agent Tesla IOCs.
Filter/Exclusion: Exclude processes initiated by the Administrators group or those running from the C:\Windows\System32\ directory.
Scenario: Use of PowerShell for System Monitoring
Description: A system monitoring tool like PowerShell or Splunk may execute scripts that resemble malicious activity due to similar command structures.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes Get-EventLog, Get-Service, or Get-Process.
Scenario: Deployment of Configuration Management Tools
Description: Tools like Chef, Puppet, or Ansible may execute scripts or binaries that match IOCs due to similar naming conventions.
Filter/Exclusion: Exclude files or processes associated with configuration management tools, such as those in the C:\ProgramData\ or C:\Users\Public\ directories.
Scenario: Legitimate Software Update or Patching Process
Description: A legitimate software update or patching process (e.g., using WSUS, SCCM, or Chocolatey) may involve files that match Agent Tesla IOCs.
Filter/Exclusion: Exclude processes initiated by the Windows Update service or those running from the C:\Windows\Temp\ directory.