The ThreatFox: StrelaStealer IOCs rule detects potential data exfiltration activity associated with the StrelaStealer malware, which is known to steal credentials and sensitive files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | seattlesubzerorepair.com | payload_delivery | 2026-05-31 | 100% |
| domain | slowikowo.pl | payload_delivery | 2026-05-30 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["seattlesubzerorepair.com", "slowikowo.pl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A legitimate scheduled job (e.g., Task Scheduler or cron job) is running a script that uses a tool like curl or wget to fetch updates from a trusted internal repository.
Filter/Exclusion: Check for process.parent_process containing Task Scheduler or cron, and verify the URL matches a known internal update server.
Scenario: Admin Performing System Monitoring with PowerShell
Description: An admin is using PowerShell to monitor system activity, which may include executing commands that resemble malicious behavior (e.g., Invoke-WebRequest to fetch logs).
Filter/Exclusion: Filter by process.user being a known admin account and check for process.name being powershell.exe with a command line containing Get-EventLog or Get-Process.
Scenario: Software Update via Chocolatey
Description: A system administrator is using Chocolatey to install or update software, which may involve downloading packages from a trusted source.
Filter/Exclusion: Check for process.name being choco.exe and ensure the download URL is from a known Chocolatey feed (e.g., https://community.chocolatey.org/api/v2/).
Scenario: Network Monitoring Tool Exfiltrating Data
Description: A network monitoring tool (e.g., Wireshark, tcpdump, or Microsoft Network Monitor) is capturing and analyzing network traffic, which may include encrypted data that matches the pattern of StrelaStealer.
Filter/Exclusion: Filter by process.name containing Wireshark, tcpdump, or nmm.exe, and check for process.parent_process being a known monitoring tool or system service.
Scenario: Internal Security Tool Performing Reconnaissance