The detection identifies potential Agent Tesla malware activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Agent Tesla Total IOCs: 3 IOC Types: sha1_hash, md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 214e97b9f597cbb2422a4cf062c8154f | payload | 2026-06-23 | 95% |
| sha256_hash | 059f89bc7b83b669362cb3ce1182508255c2e97c296c1b9820415d0a9b1ba3d5 | payload | 2026-06-23 | 95% |
| sha1_hash | 3a9e07ad7d205d67d2e1e2608fc85c9a92418380 | payload | 2026-06-23 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Agent Tesla
let malicious_hashes = dynamic(["214e97b9f597cbb2422a4cf062c8154f", "059f89bc7b83b669362cb3ce1182508255c2e97c296c1b9820415d0a9b1ba3d5", "3a9e07ad7d205d67d2e1e2608fc85c9a92418380"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Windows Update or Group Policy Preferences
Filter/Exclusion: Exclude processes associated with wuauclt.exe, gpupdate.exe, or tasks scheduled via Task Scheduler with the name containing “Update” or “Patch”.
Scenario: Scheduled backup using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude processes related to backup tools (e.g., veeam.exe, cvbackup.exe) or tasks with names like “VeeamBackup” or “CommvaultBackup”.
Scenario: Admin task involving PowerShell scripting for system maintenance
Filter/Exclusion: Exclude PowerShell scripts executed by Administrators with known maintenance scripts (e.g., PS1 files in the C:\Windows\System32 directory or tasks with names like “SystemCleanup”).
Scenario: Legitimate use of Log Management Tools like Splunk or ELK Stack
Filter/Exclusion: Exclude processes related to log collection or analysis tools (e.g., splunkd.exe, logstash.exe) or tasks that involve log aggregation and parsing.
Scenario: Use of Remote Desktop Services (RDP) for administrative access
Filter/Exclusion: Exclude RDP sessions initiated by known administrators or tasks involving mstsc.exe with IP addresses in the company’s internal network range.