The detection identifies potential Formbook malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Formbook-based attacks before significant damage occurs.
IOC Summary
Malware Family: Formbook Total IOCs: 3 IOC Types: sha1_hash, md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 5ff36f2bfed0594959b6274942585334 | payload | 2026-06-23 | 95% |
| sha256_hash | 97894eccb6b591f2176e28068418b4cdb7d8ef439680b55936cc0189d4dff6c2 | payload | 2026-06-23 | 95% |
| sha1_hash | 8cda1c2e44c35cc8c0b8b6a12d56a4d393f772a8 | payload | 2026-06-23 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Formbook
let malicious_hashes = dynamic(["5ff36f2bfed0594959b6274942585334", "97894eccb6b591f2176e28068418b4cdb7d8ef439680b55936cc0189d4dff6c2", "8cda1c2e44c35cc8c0b8b6a12d56a4d393f772a8"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to automate the deployment of a new application, which involves executing a script that matches a Formbook IOC.
Filter/Exclusion: Exclude PowerShell scripts executed by users with the Administrators group or User Account Control (UAC) elevation.
Scenario: A scheduled job runs nightly to update Microsoft Endpoint Protection definitions, and the update process includes a file or registry key that matches a Formbook IOC.
Filter/Exclusion: Exclude file or registry activity related to Microsoft Defender or Windows Update processes.
Scenario: A remote desktop session is used to perform a Windows Update on a server, and the update process triggers a Formbook IOC due to a known false positive in the detection logic.
Filter/Exclusion: Exclude activity related to mstsc.exe or Windows Update services (e.g., svchost.exe -k netsvcs).
Scenario: A system diagnostic tool like Process Monitor or Procmon is used to analyze system behavior, and the tool’s logs include entries that match a Formbook IOC.
Filter/Exclusion: Exclude events generated by Process Monitor or Procmon processes (procmon.exe or ProcMon.exe).
Scenario: A third-party security tool such as CrowdStrike Falcon or SentinelOne is installed and during its initial setup, it generates logs that include a Formbook IOC due to a signature overlap.
Filter/Exclusion: Exclude events related to CrowdStrike, SentinelOne, or other endpoint detection and response (EDR) tools.