The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with their malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]65[.]139[.]43:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 18[.]97[.]5[.]108:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 183[.]81[.]169[.]76:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 64[.]227[.]0[.]95:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 66[.]132[.]172[.]136:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 68[.]183[.]99[.]254:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 85[.]217[.]140[.]38:2375 | payload_delivery | 2026-06-26 | 80% |
| ip:port | 85[.]217[.]140[.]51:2375 | payload_delivery | 2026-06-26 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["183.81.169.76", "68.183.99.254", "66.132.172.136", "85.217.140.51", "64.227.0.95", "85.217.140.38", "176.65.139.43", "18.97.5.108"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["183.81.169.76", "68.183.99.254", "66.132.172.136", "85.217.140.51", "64.227.0.95", "85.217.140.38", "176.65.139.43", "18.97.5.108"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the RedTail IOCs, such as a file path or registry key used during routine system maintenance.
Filter/Exclusion: Exclude tasks with TaskName containing “SystemMaintenance” or “ScheduledTask” and check for CommandLine containing powershell.exe -Command with known maintenance scripts.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PowerShell or Task Scheduler to execute a script that matches a RedTail IOC, such as a file path or registry modification.
Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe or taskhost.exe and filter by User with admin privileges (e.g., Administrator or Domain Admin).
Scenario: Log File Rotation or Purge Job
Description: A log management tool like LogParser or Logrotate (on Linux) is used to rotate or purge logs, which may involve file paths or commands that match RedTail IOCs.
Filter/Exclusion: Exclude processes with ProcessName matching logrotate, logparser.exe, or rsyslogd and check for CommandLine containing rotate or purge.
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update, WSUS, or Ansible may execute scripts or use file paths that match RedTail IOCs during a routine update.
Filter/Exclusion: Exclude processes with ProcessName matching wusa.exe, msiexec.exe, or ansible.exe and filter by CommandLine containing update, patch, or install.
**Scenario: Backup or Restore Job