The ThreatFox: Gh0stnet IOCs rule detects potential Gh0stnet malware activity by identifying known malicious indicators associated with this advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: Gh0stnet Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | d311b7b63d69bda94189e7ad586d42ba7f1ba838 | payload | 2026-06-14 | 95% |
| md5_hash | 81a6699618caa9d38a99aac19a33b770 | payload | 2026-06-14 | 95% |
| sha256_hash | 3dc1a7ac46a1616fe180f42e26d25ea9638f90c73073542b49a8575e2f110174 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Gh0stnet
let malicious_hashes = dynamic(["d311b7b63d69bda94189e7ad586d42ba7f1ba838", "81a6699618caa9d38a99aac19a33b770", "3dc1a7ac46a1616fe180f42e26d25ea9638f90c73073542b49a8575e2f110174"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Gh0stnet-related tool
Description: A system administrator schedules a legitimate job using a tool like PsExec or WMIC that is falsely flagged due to its name similarity to Gh0stnet IOCs.
Filter/Exclusion: Exclude processes initiated by scheduled tasks (CommandLine contains "schtasks" or "schtasks.exe") or processes with User field matching the system admin account.
Scenario: Regular use of PowerShell for system administration
Description: A security team member uses PowerShell scripts (e.g., PowerShell.exe) to perform routine administrative tasks, such as log analysis or system monitoring, which may contain strings matching Gh0stnet IOCs.
Filter/Exclusion: Exclude processes with ProcessName equal to PowerShell.exe and User field matching the security team’s domain account.
Scenario: Legitimate software update using Gh0stnet-like command
Description: A software update process uses a command like ghost.exe (not related to Gh0stnet) to deploy patches, which may trigger the rule due to the filename.
Filter/Exclusion: Exclude processes where ProcessName is ghost.exe and CommandLine contains "update" or "patch".
Scenario: System backup using third-party tool with similar name
Description: A backup tool like GhostBackup.exe (a legitimate tool) is used for data backups, and its filename matches a Gh0stnet IOC.
Filter/Exclusion: Exclude processes where ProcessName is GhostBackup.exe or ProcessName contains "ghost" and CommandLine includes "backup".
Scenario: Admin task using legitimate remote management tool
Description: An admin uses a remote management tool like `