The ThreatFox: Gh0stnet IOCs rule detects potential adversary activity associated with the Gh0stnet malware, which is known for covert network infiltration and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Gh0stnet Total IOCs: 3 IOC Types: md5_hash, sha1_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | d311b7b63d69bda94189e7ad586d42ba7f1ba838 | payload | 2026-06-14 | 95% |
| md5_hash | 81a6699618caa9d38a99aac19a33b770 | payload | 2026-06-14 | 95% |
| sha256_hash | 3dc1a7ac46a1616fe180f42e26d25ea9638f90c73073542b49a8575e2f110174 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Gh0stnet
let malicious_hashes = dynamic(["d311b7b63d69bda94189e7ad586d42ba7f1ba838", "81a6699618caa9d38a99aac19a33b770", "3dc1a7ac46a1616fe180f42e26d25ea9638f90c73073542b49a8575e2f110174"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system backup using wbadmin
Description: A scheduled backup task using Windows Backup and Restore (wbadmin) may generate network traffic or file access that matches Gh0stnet IOCs.
Filter/Exclusion: Exclude processes or network connections initiated by wbadmin.exe or tasks scheduled via Task Scheduler with the wbadmin command.
Scenario: Regular system monitoring with PsExec
Description: An admin may use PsExec to remotely execute scripts or tools for system monitoring, which could trigger the Gh0stnet IOC detection if the tool or command matches known indicators.
Filter/Exclusion: Exclude processes launched via PsExec (e.g., psexec.exe) or commands that include PsExec in their execution chain.
Scenario: Scheduled PowerShell job for log analysis
Description: A legitimate PowerShell script scheduled via Task Scheduler may access log files or system resources that overlap with Gh0stnet IOCs.
Filter/Exclusion: Exclude processes with powershell.exe that are associated with known admin tasks or scripts used for log analysis (e.g., logparser.exe, eventvwr.exe).
Scenario: Antivirus or EDR tool signature update
Description: A security tool like CrowdStrike Falcon or Microsoft Defender may download updates or signatures that include IP addresses or hashes matching Gh0stnet IOCs.
Filter/Exclusion: Exclude network connections or file hashes associated with known security tool update servers (e.g., falcon-secure-content.s3.amazonaws.com, download.microsoft.com).
Scenario: Internal DNS resolution for internal services
Description: DNS queries for internal services (e.g., internal-dns.corp.example.com) may be flagged if the domain structure or query patterns resemble Gh0stnet