The ThreatFox: MaskGramStealer IOCs detection rule identifies potential command and control activity associated with the MaskGramStealer malware by monitoring known malicious indicators. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that leverage these IOCs to exfiltrate data and maintain persistence within the network.
IOC Summary
Malware Family: MaskGramStealer Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | hongkongplazaworks.top | botnet_cc | 2026-04-22 | 100% |
| url | hxxps://ms.com-audio.cloud/files/ | payload_delivery | 2026-04-22 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - MaskGramStealer
let malicious_domains = dynamic(["hongkongplazaworks.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - MaskGramStealer
let malicious_urls = dynamic(["https://ms.com-audio.cloud/files/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a system maintenance script
Filter/Exclusion: Check for schtasks.exe with command line containing schtasks /create /tn "System Maintenance" /tr "C:\Windows\System32\svchost.exe" /sc daily
Rationale: Legitimate scheduled tasks may use similar command syntax to run system processes.
Scenario: Admin using PowerShell.exe to run a script for system inventory
Filter/Exclusion: Filter on PowerShell.exe with command line containing Get-WmiObject -Class Win32_Process or Get-ChildItem -Path C:\Windows\Temp
Rationale: System inventory scripts often query system processes and temporary directories.
Scenario: Antivirus or endpoint protection tool performing a full system scan
Filter/Exclusion: Check for msmpeng.exe or mpsvc.exe with command line containing FullScan or Scan
Rationale: Antivirus tools frequently scan system directories and may trigger IOC matches.
Scenario: System update or patching process using wusa.exe
Filter/Exclusion: Filter on wusa.exe with command line containing /quiet /norestart or install
Rationale: Windows Update Assistant (wusa.exe) is used for installing updates and may match suspicious command lines.
Scenario: Log file analysis using logparser.exe for compliance or troubleshooting
Filter/Exclusion: Check for logparser.exe with command line containing -i IISW3C or -i Event
Rationale: Log parsing tools often access log files and may trigger IOC matches due to file paths or command structures.