The ThreatFox: Taurus Stealer IOCs detection rule identifies potential Taurus Stealer malware activity by matching known malicious indicators, which are commonly used in initial compromise stages. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage adversary activity before it leads to data exfiltration or lateral movement.
IOC Summary
Malware Family: Taurus Stealer Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 9b9dcc895b1e29c298437174b6854a69 | payload | 2026-06-14 | 95% |
| sha256_hash | 5458e333742c00ce6543315bac3b3d8a83ff35034081728bf087a821a6b5a728 | payload | 2026-06-14 | 95% |
| sha1_hash | ac893a40df75c886b5f202ebd9763bd9be009440 | payload | 2026-06-14 | 95% |
| md5_hash | fae41440b83cf11e1ebdbefb47d0b6f2 | payload | 2026-06-14 | 95% |
| sha256_hash | 886ea11a793e4f9eeec10b6758a368ed3a9344e87e01502b4bf3952abd8937a9 | payload | 2026-06-14 | 95% |
| sha1_hash | fefc88c9a9521c64961030aa22e96fd1768e81b5 | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Taurus Stealer
let malicious_hashes = dynamic(["9b9dcc895b1e29c298437174b6854a69", "5458e333742c00ce6543315bac3b3d8a83ff35034081728bf087a821a6b5a728", "ac893a40df75c886b5f202ebd9763bd9be009440", "fae41440b83cf11e1ebdbefb47d0b6f2", "886ea11a793e4f9eeec10b6758a368ed3a9344e87e01502b4bf3952abd8937a9", "fefc88c9a9521c64961030aa22e96fd1768e81b5"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Taurus Stealer IOC (e.g., a PowerShell script named maint.ps1).
Filter/Exclusion: Exclude files with the .ps1 extension that are located in system directories like C:\Windows\System32\ or have a scheduled task ID starting with Maintenance_.
Scenario: Admin Tool Execution
Description: An admin uses a legitimate tool like PowerShell.exe or certutil.exe to execute a script that matches Taurus Stealer IOCs.
Filter/Exclusion: Exclude processes launched by users with the Administrators group or where the command line includes known admin tools like PowerShell, certutil, or msiexec.
Scenario: Log Management Tool Processing
Description: A log management tool like Splunk or ELK runs a script that matches Taurus Stealer IOCs during log parsing or data ingestion.
Filter/Exclusion: Exclude processes with parent processes related to log management tools (e.g., splunkd.exe, logstash.exe, or filebeat.exe).
Scenario: Software Update Job
Description: A scheduled job runs a script to update software, and the script name or path matches Taurus Stealer IOCs.
Filter/Exclusion: Exclude files with paths containing update, patch, or install and located in directories like C:\Program Files\ or C:\Windows\Temp\.
Scenario: Backup Script Execution
Description: A backup script (e.g., backup_script.bat) runs and includes a command that matches Taurus Stealer IOCs.
Filter/Exclusion: Exclude processes with command lines containing backup, `restore