The detection identifies potential Lumma Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromises in their Azure Sentinel environment.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 2 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://peafamqe.cyou | botnet_cc | 2026-04-25 | 75% |
| url | hxxps://amphibgz.cyou | botnet_cc | 2026-04-24 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["https://peafamqe.cyou", "https://amphibgz.cyou"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system monitoring
Description: A scheduled task runs a PowerShell script that uses PowerShell.exe to gather system performance metrics, which may match the IOC pattern.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the command line containing Get-Counter or Get-WmiObject.
Scenario: Admin using Process Monitor (ProcMon) for troubleshooting
Description: An administrator is using Process Monitor to debug application behavior, which may trigger the rule due to file system activity resembling malicious behavior.
Filter/Exclusion: Exclude processes with the parent process being procmon.exe or procmon64.exe.
Scenario: Regular use of certutil for certificate management
Description: A system administrator is using certutil.exe to manage certificates, which may be flagged due to its association with command-line tools.
Filter/Exclusion: Exclude processes where the command line includes certutil -addstore or certutil -viewstore.
Scenario: Legitimate use of schtasks.exe for job scheduling
Description: A user is creating or modifying scheduled tasks using schtasks.exe, which may be misidentified as suspicious activity.
Filter/Exclusion: Exclude processes initiated by the schtasks.exe command with the /create or /modify flag.
Scenario: Use of icacls for file permissions management
Description: An administrator is using icacls.exe to adjust file permissions, which may trigger the rule due to its command-line nature.
Filter/Exclusion: Exclude processes where the command line includes icacls with grant or revoc verbs.