The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with their malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 3 IOC Types: ip:port, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]77[.]182[.]54:2375 | payload_delivery | 2026-06-01 | 80% |
| sha256_hash | 59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5 | payload | 2026-06-01 | 85% |
| sha256_hash | dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9 | payload | 2026-06-01 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["47.77.182.54"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.77.182.54"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - RedTail
let malicious_hashes = dynamic(["59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5", "dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using msiexec.exe to install a legitimate Windows update
Filter/Exclusion: process.name == msiexec.exe and process.args contains " /quiet" or " /passive"
Scenario: Scheduled job running schtasks.exe to execute a routine maintenance task
Filter/Exclusion: process.name == schtasks.exe and process.args contains "/create /tn" or /run
Scenario: Admin using PowerShell.exe to run a script for log management or compliance check
Filter/Exclusion: process.name == powershell.exe and process.args contains " -File " or " -Command "
Scenario: Database backup using sqlcmd.exe with a scheduled task
Filter/Exclusion: process.name == sqlcmd.exe and process.args contains " -S " or " -Q "
Scenario: IT staff using taskkill.exe to terminate a non-responsive service
Filter/Exclusion: process.name == taskkill.exe and process.args contains "/F /PID" or "/IM"