The ThreatFox: Amadey IOCs rule detects potential adversary activity linked to the Amadey malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: Amadey Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 66[.]94[.]119[.]99:80 | botnet_cc | 2026-06-16 | 50% |
| url | hxxp://66[.]94[.]119[.]99/Lsge63sd3/index.php | botnet_cc | 2026-06-16 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Amadey
let malicious_ips = dynamic(["66.94.119.99"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["66.94.119.99"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Amadey
let malicious_urls = dynamic(["http://66.94.119.99/Lsge63sd3/index.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system cleanup using ccleaner
Filter/Exclusion: Exclude processes associated with ccleaner or processes running from the installation directory of ccleaner (e.g., C:\Program Files\CCleaner\)
Scenario: System administrator using PowerShell to run a script for log rotation
Filter/Exclusion: Exclude PowerShell scripts executed from known admin directories (e.g., C:\Windows\System32\ or C:\Windows\SysWOW64\) or scripts signed by a trusted certificate
Scenario: IT department deploying a patch using Windows Update or WSUS
Filter/Exclusion: Exclude processes related to wusa.exe or wsusutil.exe, or processes initiated from the Windows Update service context
Scenario: Database administrator using SQL Server Management Studio (SSMS) to run maintenance tasks
Filter/Exclusion: Exclude processes associated with ssms.exe or SQL Server services (e.g., sqlservr.exe) running under the SQL Server service account
Scenario: Security team using Splunk or ELK for log analysis and correlation
Filter/Exclusion: Exclude processes related to splunkd.exe or java instances running as part of the Splunk or ELK stack, especially those with known service accounts or configured for log collection