The ThreatFox: StrelaStealer IOCs rule detects potential credential-stealing activity associated with the StrelaStealer malware, which exfiltrates sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | healwithcolors.com | payload_delivery | 2026-04-23 | 100% |
| domain | fmt.co.id | payload_delivery | 2026-04-23 | 100% |
| domain | extinvit.es | payload_delivery | 2026-04-23 | 100% |
| domain | englishnews.eu | payload_delivery | 2026-04-23 | 100% |
| domain | ekonomimanajemen.com | payload_delivery | 2026-04-23 | 100% |
| domain | ehsanamidian.com | payload_delivery | 2026-04-23 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["healwithcolors.com", "fmt.co.id", "extinvit.es", "englishnews.eu", "ekonomimanajemen.com", "ehsanamidian.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system monitoring
Description: A system administrator schedules a PowerShell script using schtasks to monitor system performance and log events. The script may use Invoke-Command or Get-EventLog, which could trigger the rule due to PowerShell activity.
Filter/Exclusion: ProcessName != "powershell.exe" OR CommandLine NOT LIKE "*Invoke-Command*" AND CommandLine NOT LIKE "*Get-EventLog*"
Scenario: Admin using Process Explorer to troubleshoot a service
Description: A system administrator uses Sysinternals’ Process Explorer to investigate a suspicious service. The tool may trigger the rule due to process enumeration or memory inspection activities.
Filter/Exclusion: ProcessName != "procexp.exe" OR CommandLine NOT LIKE "*-e*" AND CommandLine NOT LIKE "*-m*"
Scenario: Regular log collection using LogParser
Description: A security team uses LogParser (from the Windows Server Resource Kit) to collect and analyze event logs. The tool may trigger the rule due to its interaction with the Windows Event Log API.
Filter/Exclusion: `ProcessName != “logparser.exe” OR CommandLine NOT LIKE “-i event”
Scenario: Deployment of a legitimate configuration management tool
Description: A DevOps engineer deploys a configuration management tool like Ansible or Chef that uses PowerShell or other scripting to configure systems. The script execution may trigger the rule.
Filter/Exclusion: ProcessName NOT IN ("ansible.exe", "chef-client.exe") OR CommandLine NOT LIKE "*-e*" AND CommandLine NOT LIKE "*-t*"
Scenario: User running a legitimate remote desktop session
Description: A user connects to a remote server using mstsc.exe (Remote Desktop Connection