The ThreatFox: poscardstealer IOCs detect potential adversary activity involving the exfiltration of cardholder data through a known malicious tool, indicating a targeted compromise. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: poscardstealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 374473c7dfb66406178681191ba4de7de9ff6e7b | payload | 2026-06-17 | 95% |
| md5_hash | 51335ef0e92ee549c9ec24338935d1b3 | payload | 2026-06-17 | 95% |
| sha256_hash | 994360679da88dedbdcc0563919e2b9c7c717aa1acc1620e8bc489a2daa97ac9 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - poscardstealer
let malicious_hashes = dynamic(["374473c7dfb66406178681191ba4de7de9ff6e7b", "51335ef0e92ee549c9ec24338935d1b3", "994360679da88dedbdcc0563919e2b9c7c717aa1acc1620e8bc489a2daa97ac9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task using schtasks.exe runs a legitimate maintenance script that matches the IOCs due to similar file names or paths.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or script path.
Scenario: Admin using Process Monitor (ProcMon) for troubleshooting
Description: An administrator is using ProcMon.exe to debug a legitimate application, which may trigger the rule due to file system activity matching the IOCs.
Filter/Exclusion: Exclude processes with ProcMon.exe or ProcessMonitor.exe as the executable name.
Scenario: Regular use of Windows Task Scheduler for backups
Description: A backup job using schtasks.exe or taskhost.exe is configured to run a legitimate backup tool (e.g., Veeam.exe, Acronis.exe) that may have similar IOCs.
Filter/Exclusion: Exclude tasks with known backup tools or paths that match the IOC patterns.
Scenario: Use of PowerShell for system configuration
Description: A system administrator uses PowerShell (powershell.exe) to configure or manage system services, which may involve scripts or commands that match the IOCs.
Filter/Exclusion: Exclude processes where the command line includes known administrative tasks or legitimate PowerShell modules.
Scenario: Legitimate software update process
Description: A software update process using msiexec.exe or setup.exe may trigger the rule due to file hashes or network activity that resemble the IOCs.
Filter/Exclusion: Exclude processes associated with known software update mechanisms or vendor-specific update tools.