The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early, reducing the risk of data exfiltration and lateral movement.
IOC Summary
Malware Family: RedTail Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]76[.]46[.]226:2375 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 209[.]99[.]185[.]239:2375 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 112[.]18[.]182[.]202:2375 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 185[.]211[.]94[.]76:2375 | payload_delivery | 2026-06-22 | 80% |
| ip:port | 68[.]183[.]234[.]194:2375 | payload_delivery | 2026-06-22 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["112.18.182.202", "209.99.185.239", "31.76.46.226", "185.211.94.76", "68.183.234.194"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["112.18.182.202", "209.99.185.239", "31.76.46.226", "185.211.94.76", "68.183.234.194"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the RedTail IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "CleanupScript.ps1" or process.parent_process_name != "TaskScheduler"
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses a known tool like Disk Cleanup or CCleaner which may have a file or registry entry that matches a RedTail IOC.
Filter/Exclusion: process.name != "cleanmgr.exe" or process.name != "ccleaner.exe"
Scenario: Log File Rotation Using Logrotate
Description: The logrotate utility (common in Linux environments) may generate files or use commands that match RedTail IOCs during routine log rotation.
Filter/Exclusion: process.name != "logrotate" or process.parent_process_name != "systemd"
Scenario: Database Backup Job Using mysqldump
Description: A scheduled database backup job using mysqldump may produce output files or use commands that resemble RedTail IOCs.
Filter/Exclusion: process.name != "mysqldump" or process.parent_process_name != "cron"
Scenario: Network Monitoring Tool Generating Alerts
Description: A network monitoring tool like Wireshark or tcpdump may generate files or logs that match RedTail IOCs during normal operation.
Filter/Exclusion: process.name != "tcpdump" or process.name != "wireshark"