The ThreatFox: Amadey IOCs rule detects potential adversary activity linked to the Amadey malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: Amadey Total IOCs: 2 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | spasopro.at | botnet_cc | 2026-06-09 | 50% |
| url | hxxp://spasopro.at/Lsge63sd3/index.php | botnet_cc | 2026-06-09 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Amadey
let malicious_domains = dynamic(["spasopro.at"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Amadey
let malicious_urls = dynamic(["http://spasopro.at/Lsge63sd3/index.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam Backup & Replication may trigger the rule if the backup process involves files or network connections that match Amadey IOCs.
Filter/Exclusion: Exclude processes initiated by veeam.exe or tasks scheduled under the Veeam Backup service account.
Scenario: Windows Update or Patching via Windows Server Update Services (WSUS)
Description: A Windows update or patching process using WSUS may involve network connections or file hashes that match Amadey IOCs.
Filter/Exclusion: Exclude processes initiated by wsuapi.exe or tasks associated with the WSUS service.
Scenario: Database Maintenance Task Using SQL Server Agent
Description: A SQL Server Agent job performing routine maintenance (e.g., index rebuilds, backups) may involve file operations or network activity that could be flagged by the rule.
Filter/Exclusion: Exclude processes initiated by sqlservr.exe or tasks scheduled under the SQL Server Agent service.
Scenario: Log Collection Using Splunk Forwarder
Description: A Splunk Universal Forwarder collecting logs from various systems may interact with network endpoints or use file paths that match Amadey IOCs.
Filter/Exclusion: Exclude processes initiated by splunkforwarder.exe or tasks associated with the Splunk service.
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A PowerShell script run by an admin for system monitoring or health checks may use commands or file paths that match Amadey IOCs.
Filter/Exclusion: Exclude processes initiated by powershell.exe with execution context from the Administrators group or with script paths in known admin directories (e.g