The ThreatFox: LockBit IOCs rule detects potential LockBit malware execution by identifying known malicious indicators associated with the group. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate LockBit-related attacks before they cause significant damage.
IOC Summary
Malware Family: LockBit Total IOCs: 8 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | l6tafmqurswrpajwgnvpnpnpd77xavfm4n52xqfsjfltnersjv2fxoqd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | kff3b66znolwznie6cinz2pecxrrxpeptwuzeudaed63viv4fbnketyd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | 7egbakn4anfwdtase7fnkgsdpywl4mtsxwpud4ou5lxjjhy4qthv4vid.onion | botnet_cc | 2026-06-19 | 100% |
| domain | 5vmjqdfmmtkvk74uj2khkndrxjmgzbspzugk5a5rzd3upntc7wi5reyd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | lntvtlvl6gn35aa4coklqubskx5r3d6j42onywz7llzf3anetqtoepyd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | a2ahyvmwbfcw7vvdnaddwbvezlpcjvfszdnuer3l6aqnwdzermm7csyd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | xxs3dmkoflcfrkon7a2guje2ojsyv63z7eyxpctjota7xil646v4byyd.onion | botnet_cc | 2026-06-19 | 100% |
| domain | smqqrbvjf7kfcikigbq5hxzq5y6n2as7oy4bmb6dsrb4keyn3korxcid.onion | botnet_cc | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - LockBit
let malicious_domains = dynamic(["l6tafmqurswrpajwgnvpnpnpd77xavfm4n52xqfsjfltnersjv2fxoqd.onion", "kff3b66znolwznie6cinz2pecxrrxpeptwuzeudaed63viv4fbnketyd.onion", "7egbakn4anfwdtase7fnkgsdpywl4mtsxwpud4ou5lxjjhy4qthv4vid.onion", "5vmjqdfmmtkvk74uj2khkndrxjmgzbspzugk5a5rzd3upntc7wi5reyd.onion", "lntvtlvl6gn35aa4coklqubskx5r3d6j42onywz7llzf3anetqtoepyd.onion", "a2ahyvmwbfcw7vvdnaddwbvezlpcjvfszdnuer3l6aqnwdzermm7csyd.onion", "xxs3dmkoflcfrkon7a2guje2ojsyv63z7eyxpctjota7xil646v4byyd.onion", "smqqrbvjf7kfcikigbq5hxzq5y6n2as7oy4bmb6dsrb4keyn3korxcid.onion"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance using schtasks.exe
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance task names (e.g., UpdateTask, BackupTask)
Scenario: Use of PowerShell.exe for routine system configuration via Invoke-Command
Filter/Exclusion: Exclude PowerShell scripts executed with Invoke-Command and signed by a trusted enterprise certificate or signed by a known internal admin account
Scenario: Regular use of PsExec.exe for remote administrative tasks
Filter/Exclusion: Exclude processes launched by PsExec.exe where the source is a known internal management workstation or domain controller
Scenario: Execution of certutil.exe for certificate management
Filter/Exclusion: Exclude certutil.exe processes related to certificate renewal, import, or export operations on trusted internal CA servers
Scenario: Use of taskkill.exe to terminate non-malicious background processes
Filter/Exclusion: Exclude taskkill.exe commands targeting known legitimate services or processes (e.g., svchost.exe, Windows Explorer) initiated by authorized admin accounts