The ThreatFox: TinyMet IOCs rule detects potential adversary activity associated with the TinyMet malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may be operating undetected within their environment.
IOC Summary
Malware Family: TinyMet Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 96beaa210c51ebc95b19379dd9572013132e7c4d | payload | 2026-06-17 | 95% |
| md5_hash | ae9613c81a644178999b357600d1498a | payload | 2026-06-17 | 95% |
| sha256_hash | ff0d872eb0f0474a24273ff2506b9c1e5e7c7ba5fa8d364cea94e0c7405d032c | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - TinyMet
let malicious_hashes = dynamic(["96beaa210c51ebc95b19379dd9572013132e7c4d", "ae9613c81a644178999b357600d1498a", "ff0d872eb0f0474a24273ff2506b9c1e5e7c7ba5fa8d364cea94e0c7405d032c"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a tool like PowerShell or Task Scheduler to perform routine system checks or updates.
Filter/Exclusion: Exclude processes associated with Task Scheduler or PowerShell when executed by the SYSTEM or LOCAL SERVICE account.
Scenario: Admin Performing Log Collection with LogParser
Description: An admin uses LogParser to collect and analyze logs from the Event Viewer, which may include paths or commands similar to those in TinyMet.
Filter/Exclusion: Exclude processes initiated by admin accounts with LogParser or eventvwr.exe.
Scenario: Running Windows Defender Antivirus Scan
Description: A full system scan using Windows Defender may trigger detection of benign files or processes that match TinyMet IOCs.
Filter/Exclusion: Exclude processes with MsMpEng.exe or Windows Defender service names.
Scenario: Using PowerShell for Configuration Management with Desired State Configuration (DSC)
Description: A DSC configuration script may use PowerShell cmdlets that resemble malicious activity but are part of legitimate configuration management.
Filter/Exclusion: Exclude processes initiated by PowerShell when running DSC configurations or scripts from known configuration management tools like PSDscResource.
Scenario: Executing a Legitimate Script for Patch Management
Description: A script used for patch management (e.g., via SCCM or WSUS) may include commands or paths that match TinyMet IOCs.
Filter/Exclusion: Exclude processes associated with patch management tools like Wsuscmd.exe, CCMExec.exe, or SCCM service names.