The ThreatFox: StrelaStealer IOCs rule detects potential command and control activity associated with the StrelaStealer malware by identifying known malicious indicators linked to its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: StrelaStealer Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | metais.kz | payload_delivery | 2026-04-19 | 100% |
| domain | mb-groupe.fr | payload_delivery | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - StrelaStealer
let malicious_domains = dynamic(["metais.kz", "mb-groupe.fr"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Log Collection
Description: A system administrator schedules a PowerShell script using schtasks.exe to collect logs from remote servers. The script uses a legitimate tool like Get-WinEvent and is signed by a trusted publisher.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a signed PowerShell script and a known legitimate publisher.
Scenario: Regular System Update via Windows Update
Description: A Windows update process downloads a file from Microsoft’s update servers, which may be flagged due to similar network behavior as malicious activity.
Filter/Exclusion: Exclude traffic to Microsoft update servers (update.microsoft.com, download.microsoft.com) and files signed by Microsoft.
Scenario: Admin Task for Database Backup
Description: A DBA runs a database backup using sqlcmd.exe or a scheduled SQL Agent job, which may include network communication with the database server.
Filter/Exclusion: Exclude processes initiated by SQL Agent jobs or sqlcmd.exe with known backup scripts and internal IP addresses.
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A DevOps team uses PowerShell scripts (e.g., Invoke-Command) to configure multiple servers, which may involve remote execution and file downloads.
Filter/Exclusion: Exclude PowerShell scripts executed via Invoke-Command or Enter-PSSession with known DevOps tooling (e.g., Ansible, Puppet) and internal IP ranges.
Scenario: Antivirus Scan Using a Third-Party Tool
Description: An enterprise antivirus solution (e.g., Bitdefender, Kaspersky) performs a full system scan, which may involve scanning and downloading files from local storage or network shares.
Filter/Exclusion: Exclude processes associated with known enterprise antivirus tools and