The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, which is associated with high-impact malware and persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: RedTail Total IOCs: 3 IOC Types: ip:port, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]77[.]182[.]54:2375 | payload_delivery | 2026-06-01 | 80% |
| sha256_hash | 59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5 | payload | 2026-06-01 | 85% |
| sha256_hash | dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9 | payload | 2026-06-01 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["47.77.182.54"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.77.182.54"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - RedTail
let malicious_hashes = dynamic(["59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5", "dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the RedTail IOC pattern (e.g., C:\Windows\System32\svchost.exe or taskmgr.exe).
Filter/Exclusion: Exclude processes associated with Task Scheduler or processes with CommandLine containing /S or --schedule.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like Process Explorer or Sysmon to investigate system behavior, which may trigger the IOC due to process names or paths.
Filter/Exclusion: Exclude processes with ParentProcess matching explorer.exe, services.exe, or taskmgr.exe.
Scenario: Log File Analysis Job
Description: A security team runs a job to analyze log files using tools like LogParser or PowerShell scripts, which may include paths or commands resembling RedTail IOCs.
Filter/Exclusion: Exclude processes with ProcessName containing logparser.exe, powershell.exe (with specific command-line arguments), or cmd.exe with loganalysis in the command line.
Scenario: Antivirus Quarantine Scan
Description: An endpoint protection tool quarantines a file that matches a RedTail IOC, such as a temporary file or a known benign executable.
Filter/Exclusion: Exclude processes with ProcessName matching antivirus tools (e.g., mpsvr.exe, avgnt.exe, mcafee.exe) or files in the quarantine directory.
Scenario: Database Backup Job
Description: A database backup script (e.g., using SQL Server Agent or MySQL tools) may generate temporary files or use paths that match RedTail IOCs.
Filter/Exclusion: