The ThreatFox: MASS Logger IOCs rule detects potential command and control communication associated with the MASS Logger malware, which is commonly used for data exfiltration and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging known malicious IOCs before they cause significant data loss or system compromise.
IOC Summary
Malware Family: MASS Logger Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | fb5a09899b06e4ed91b14a9e67f5ece2a558a877 | payload | 2026-06-11 | 95% |
| md5_hash | 0ff94617c08fe032327753b286011da5 | payload | 2026-06-11 | 95% |
| sha256_hash | 574c4503c071e8e8892d267e786acdf811970d4f927cf4536a870c8ba2fc7a13 | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - MASS Logger
let malicious_hashes = dynamic(["fb5a09899b06e4ed91b14a9e67f5ece2a558a877", "0ff94617c08fe032327753b286011da5", "574c4503c071e8e8892d267e786acdf811970d4f927cf4536a870c8ba2fc7a13"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\logman.exe or C:\Windows\System32\eventcreate.exe).
Filter/Exclusion: Check for process.parent_process == "schtasks.exe" or process.command_line contains "schtasks /create".
Scenario: Log Collection via Windows Event Log Tools
Description: A legitimate log collection tool (e.g., eventcreate.exe or wevtutil.exe) is used to generate event logs, which may match the IOC pattern.
Filter/Exclusion: Check for process.name == "eventcreate.exe" or process.name == "wevtutil.exe".
Scenario: Admin Task for User Management
Description: An admin task (e.g., net user or net localgroup) may execute commands that resemble malicious IOCs due to similar command-line syntax.
Filter/Exclusion: Check for process.name == "cmd.exe" and process.command_line contains "net user" or "net localgroup".
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script (e.g., powershell.exe) used for system monitoring or auditing may include commands that match the IOC pattern.
Filter/Exclusion: Check for process.name == "powershell.exe" and process.command_line contains "Get-EventLog" or "Get-WinEvent".
Scenario: Third-Party Log Management Tool Integration
Description: A third-party log management tool (e.g., Splunk or ELK stack) may execute scripts or binaries that match the IOC pattern during integration or configuration.
Filter/Exclusion: Check for `process.name == ”