The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with this malicious actor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]79[.]226[.]23:2375 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 47[.]95[.]234[.]23:2375 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 47[.]238[.]121[.]28:2375 | payload_delivery | 2026-06-06 | 80% |
| ip:port | 101[.]36[.]104[.]242:2375 | payload_delivery | 2026-06-06 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["47.238.121.28", "217.79.226.23", "101.36.104.242", "47.95.234.23"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.238.121.28", "217.79.226.23", "101.36.104.242", "47.95.234.23"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using PowerShell to execute a legitimate script that matches the RedTail IOC pattern.
Filter/Exclusion: Exclude processes initiated by PowerShell with the Start-Process cmdlet and associated with known patching tools like Microsoft Update or WSUS.
Scenario: Scheduled job running Task Scheduler to perform routine log rotation or data archiving, which includes a file path matching a RedTail IOC.
Filter/Exclusion: Exclude tasks with the Task Scheduler service and file paths that match known log management tools like LogParser or Splunk.
Scenario: Admin performing a system inventory using Sysinternals tools (e.g., Process Explorer, PsList) which may trigger a RedTail IOC due to process enumeration.
Filter/Exclusion: Exclude processes initiated by Sysinternals tools or user accounts with elevated privileges (e.g., Administrator or LocalSystem).
Scenario: Regular backup job using Veeam or Commvault that includes file paths or network connections matching RedTail IOCs.
Filter/Exclusion: Exclude network connections and file paths associated with backup tools like Veeam Backup & Replication or Commvault Simpana.
Scenario: User running a legitimate security tool like Malwarebytes or Bitdefender that performs heuristic analysis and generates false positives matching RedTail IOCs.
Filter/Exclusion: Exclude processes initiated by known endpoint protection tools such as Malwarebytes or Bitdefender using their respective service names or process names.