The detection identifies potential Taurus Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence within the environment. SOC teams should proactively hunt for this behavior to identify and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: Taurus Stealer Total IOCs: 3 IOC Types: sha256_hash, md5_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 7105e52803914e37050b6f2a4c0d8a8339a2a381 | payload | 2026-06-13 | 95% |
| md5_hash | 8368894761e8f296575356fe49978880 | payload | 2026-06-13 | 95% |
| sha256_hash | 13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1 | payload | 2026-06-13 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Taurus Stealer
let malicious_hashes = dynamic(["7105e52803914e37050b6f2a4c0d8a8339a2a381", "8368894761e8f296575356fe49978880", "13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A system administrator schedules a legitimate job using schtasks.exe to run a script that is falsely flagged as Taurus Stealer.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate script paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Microsoft Defender Antivirus Scan
Description: Microsoft Defender performs a full system scan using MsMpEng.exe, which may trigger the rule due to its interaction with system files.
Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\msmpeng.exe or filter based on process parent process being services.exe.
Scenario: Windows Update or Patching Task
Description: A Windows Update task using wusa.exe or dism.exe may be flagged due to its interaction with system files or registry keys.
Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\wusa.exe or C:\Windows\System32\dism.exe.
Scenario: PowerShell Script for System Monitoring
Description: A legitimate PowerShell script (e.g., from Microsoft or internal IT tools) is executed using powershell.exe and is flagged due to its use of common Taurus Stealer IOCs.
Filter/Exclusion: Exclude processes where the command line includes known internal or Microsoft script paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\Tools\monitor.ps1).
Scenario: Admin Task for Log Collection
Description: An admin task using logman.exe or wevtutil.exe to collect logs may