The ThreatFox: Agent Tesla IOCs rule detects potential Agent Tesla malware activity by identifying suspicious network traffic associated with known command-and-control servers, indicating data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before sensitive data is exfiltrated.
IOC Summary
Malware Family: Agent Tesla Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | b0e94f6295e469e77f16759ad1a117e4f5c120455032f375b38660f050bbf9ca | payload | 2026-06-26 | 95% |
| sha1_hash | 84f81b908bd93e017c25cebb74b970cc42c23287 | payload | 2026-06-26 | 95% |
| md5_hash | 4b68c75c72823af59074f1dd0d07b1f5 | payload | 2026-06-26 | 95% |
| sha256_hash | 51ce23480bb91da183356efa8a0003d7cba21c18847165abc435b3e7536d721a | payload | 2026-06-26 | 95% |
| sha1_hash | b54e2388437298c34d62431eea04ac9852fb18f6 | payload | 2026-06-26 | 95% |
| md5_hash | 7a5224de6406df80ee440ea593e4f526 | payload | 2026-06-26 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Agent Tesla
let malicious_hashes = dynamic(["b0e94f6295e469e77f16759ad1a117e4f5c120455032f375b38660f050bbf9ca", "84f81b908bd93e017c25cebb74b970cc42c23287", "4b68c75c72823af59074f1dd0d07b1f5", "51ce23480bb91da183356efa8a0003d7cba21c18847165abc435b3e7536d721a", "b54e2388437298c34d62431eea04ac9852fb18f6", "7a5224de6406df80ee440ea593e4f526"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance using schtasks.exe
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance tasks (e.g., Cleanup-SystemTemp.ps1, WindowsUpdate.exe) and check for execution context (e.g., LocalSystem or Administrators group).
Scenario: Security tool signature update using msiexec.exe
Filter/Exclusion: Exclude processes initiated by msiexec.exe with known legitimate update packages (e.g., MicrosoftSecurityDefender.msi, WindowsDefenderAmCache.msi) and verify the digital signature of the package.
Scenario: Admin task to deploy configuration updates using powershell.exe
Filter/Exclusion: Exclude PowerShell scripts executed by administrators (e.g., Deploy-Config.ps1) that are known to be part of standard configuration management workflows (e.g., using PSRule or Pester for validation).
Scenario: Network discovery tool like nmap or tcpdump
Filter/Exclusion: Exclude traffic generated by network discovery tools (e.g., nmap -sP, tcpdump -i eth0) and verify the source IP against known internal network ranges and authorized tools.
Scenario: Log collection and analysis using logparser.exe or splunkforwarder
Filter/Exclusion: Exclude processes related to log aggregation tools (e.g., logparser.exe running *.log files, splunkforwarder sending logs to a SIEM) and check for known legitimate command-line arguments or configuration files.