The ThreatFox: Vidar IOCs rule detects potential command and control activity associated with the Vidar malware, leveraging known indicators to identify compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate lateral movement and data exfiltration risks early in the attack lifecycle.
IOC Summary
Malware Family: Vidar Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | d0d8d45ef06d0d9ee5f3e0b01885c965f8541d2ad0cba3ca401aca56bb0258e9 | payload | 2026-06-26 | 95% |
| sha1_hash | ccad36f947b504ab0d3fa44db56416bbeba001fe | payload | 2026-06-26 | 95% |
| md5_hash | 5eca7be606723c470d02afbb53188dc2 | payload | 2026-06-26 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Vidar
let malicious_hashes = dynamic(["d0d8d45ef06d0d9ee5f3e0b01885c965f8541d2ad0cba3ca401aca56bb0258e9", "ccad36f947b504ab0d3fa44db56416bbeba001fe", "5eca7be606723c470d02afbb53188dc2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using PowerShell for System Maintenance
Description: A scheduled task runs a PowerShell script to perform routine system maintenance, such as log rotation or disk cleanup, which may contain benign command-line arguments resembling Vidar IOCs.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with CommandLine containing schtasks or powershell.exe with Start-Process and –ArgumentList that match known benign maintenance scripts.
Scenario: Admin Using Process Explorer to Analyze Processes
Description: A system administrator uses Process Explorer (Sysinternals tool) to investigate suspicious processes, which may trigger the rule due to similar process names or paths.
Filter/Exclusion: Exclude processes with ImageFileName matching procexp.exe or Process Explorer.exe and filter by user account (e.g., Administrators group).
Scenario: Legitimate Use of AWS CLI for Cloud Infrastructure Management
Description: A DevOps engineer uses the AWS CLI to manage cloud resources, which may involve commands or paths that resemble Vidar IOCs.
Filter/Exclusion: Exclude processes with CommandLine containing aws or awscli and filter by user account (e.g., devops or cloud-admin).
Scenario: Regular Use of Windows Task Scheduler for Backups
Description: A backup job scheduled via Task Scheduler uses a script or executable that may have command-line arguments matching Vidar IOCs.
Filter/Exclusion: Exclude processes with CommandLine containing backup or backup.exe and filter by TaskName or TaskXML that match known backup tasks.
Scenario: Legitimate Use of PowerShell for Log Analysis
Description: A security analyst uses PowerShell scripts to analyze system logs, which may include commands or paths