The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early, reducing the risk of data exfiltration and lateral movement.
IOC Summary
Malware Family: RedTail Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]195[.]113:22 | payload_delivery | 2026-06-10 | 85% |
| ip:port | 75[.]119[.]132[.]109:80 | payload_delivery | 2026-06-10 | 85% |
| ip:port | 138[.]124[.]242[.]51:2375 | payload_delivery | 2026-06-10 | 85% |
| ip:port | 161[.]35[.]169[.]21:2375 | payload_delivery | 2026-06-10 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["161.35.169.21", "138.124.242.51", "217.60.195.113", "75.119.132.109"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["161.35.169.21", "138.124.242.51", "217.60.195.113", "75.119.132.109"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using WSUS (Windows Server Update Services)
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or wsus in the command line arguments.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by ProcessName containing veeambackup.exe or check for known backup job names in the command line.
Scenario: Administrative task using PowerShell to configure system settings
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for known administrative scripts or commands (e.g., Set-ItemProperty, Get-WmiObject).
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Check for ProcessName containing splunkd.exe, logstash, or java (for Elasticsearch), and verify if the process is associated with log ingestion.
Scenario: Internal tool for managing user accounts using Active Directory PowerShell cmdlets
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for Import-Module ActiveDirectory or similar AD-related cmdlets in the command line.