The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious network traffic or system interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.
IOC Summary
Malware Family: RedTail Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 212[.]127[.]90[.]201:2375 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 147[.]139[.]136[.]75:2375 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 31[.]132[.]90[.]3:80 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 115[.]248[.]8[.]65:80 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 167[.]233[.]68[.]137:80 | payload_delivery | 2026-06-20 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["147.139.136.75", "212.127.90.201", "115.248.8.65", "167.233.68.137", "31.132.90.3"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["147.139.136.75", "212.127.90.201", "115.248.8.65", "167.233.68.137", "31.132.90.3"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Microsoft Update or Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude events related to msiexec.exe or wuauclt.exe with command lines containing update, patch, or install.
Scenario: Scheduled job for log rotation using Logrotate on Linux systems
Filter/Exclusion: Exclude processes with command lines containing logrotate or rotate and associated with the system’s log management service.
Scenario: Backup job execution using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude processes with command lines containing veeam or commvault and associated with backup operations.
Scenario: Administrative task such as Group Policy Object (GPO) synchronization using gpupdate
Filter/Exclusion: Exclude events where gpupdate.exe is executed with the /force or /target flags, or where the process is initiated by a domain controller.
Scenario: Application deployment using Ansible or Chef for configuration management
Filter/Exclusion: Exclude processes with command lines containing ansible-playbook or chef-solo and associated with known deployment scripts or roles.