The ThreatFox: MaskGramStealer IOCs rule detects potential credential-stealing malware activity by identifying outbound connections to known malicious domains associated with the MaskGramStealer campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and lateral movement.
IOC Summary
Malware Family: MaskGramStealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | geschmeidig6307-kotyatanet.sbs | botnet_cc | 2026-05-24 | 100% |
| domain | ws.geschmeidig6307-kotyatanet.sbs | botnet_cc | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - MaskGramStealer
let malicious_domains = dynamic(["geschmeidig6307-kotyatanet.sbs", "ws.geschmeidig6307-kotyatanet.sbs"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance task
Description: A scheduled job runs a script that connects to a domain used by the detection rule, such as for software updates or configuration sync.
Filter/Exclusion: Exclude connections to domains associated with known enterprise update servers (e.g., update.microsoft.com, download.microsoft.com) or use a custom field like process.name == "schtasks.exe" or process.name == "task scheduler".
Scenario: Admin using PowerShell for remote management
Description: A system administrator uses PowerShell to remotely manage a server, which may involve connecting to a domain that matches the rule’s IOC.
Filter/Exclusion: Exclude connections where process.name == "powershell.exe" and user.name is a known admin account, or use a custom field like process.args contains "Invoke-Command".
Scenario: Legitimate cloud service integration
Description: A company uses a cloud service (e.g., AWS, Azure) that connects to a domain that is falsely flagged by the rule.
Filter/Exclusion: Exclude connections to domains associated with cloud providers (e.g., aws.amazon.com, azure.com) or use a custom field like domain contains "aws" or domain contains "azure".
Scenario: Security tool for threat intelligence lookup
Description: A security tool like ThreatIntel or CrowdStrike connects to a domain to fetch threat intelligence data, which may match the rule’s IOC.
Filter/Exclusion: Exclude connections from processes associated with security tools (e.g., threatintel.exe, crowdstrike.exe) or use a custom field like process.name contains "threatintel".
Scenario: Internal development or testing environment
Description: A developer or tester is using a domain that is part