The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with its malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing persistence or exfiltrating data within their environment.
IOC Summary
Malware Family: RedTail Total IOCs: 8 IOC Types: sha256_hash, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 79[.]76[.]58[.]113:2375 | payload_delivery | 2026-06-14 | 85% |
| url | hxxps://217[.]60[.]195[.]113/sh | payload_delivery | 2026-06-14 | 85% |
| sha256_hash | 7c8e7619c5398d3b857e6f72cf791e2c2e27762ddd8521eb8971c893cdb8b1fc | payload | 2026-06-14 | 85% |
| ip:port | 87[.]120[.]166[.]130:2375 | payload_delivery | 2026-06-14 | 85% |
| ip:port | 152[.]42[.]247[.]85:2375 | payload_delivery | 2026-06-14 | 85% |
| ip:port | 31[.]76[.]27[.]231:80 | payload_delivery | 2026-06-14 | 85% |
| ip:port | 183[.]56[.]243[.]176:2375 | payload_delivery | 2026-06-14 | 85% |
| ip:port | 168[.]144[.]45[.]211:2375 | payload_delivery | 2026-06-14 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["183.56.243.176", "31.76.27.231", "79.76.58.113", "168.144.45.211", "152.42.247.85", "87.120.166.130"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["183.56.243.176", "31.76.27.231", "79.76.58.113", "168.144.45.211", "152.42.247.85", "87.120.166.130"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - RedTail
let malicious_urls = dynamic(["https://217.60.195.113/sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - RedTail
let malicious_hashes = dynamic(["7c8e7619c5398d3b857e6f72cf791e2c2e27762ddd8521eb8971c893cdb8b1fc"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance using task scheduler to run diskdefrag.exe
Filter/Exclusion: Exclude processes initiated by Task Scheduler with command line containing diskdefrag.exe
Scenario: Admin performing a database backup using sqlbackup.exe
Filter/Exclusion: Exclude processes with sqlbackup.exe and parent process sqlservr.exe (Microsoft SQL Server)
Scenario: IT team using PowerShell to generate reports via Export-Csv
Filter/Exclusion: Exclude PowerShell scripts that use Export-Csv and are initiated from known IT management tools like PowerShell ISE or PowerShell Studio
Scenario: System using Windows Update to install patches via wuauclt.exe
Filter/Exclusion: Exclude processes with wuauclt.exe and parent process svchost.exe (Windows Update service)
Scenario: Security team using LogonUI.exe to manage user sessions during shift changes
Filter/Exclusion: Exclude processes with LogonUI.exe and user account associated with the security team’s service account