The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be establishing persistence or exfiltrating data within their environment.
IOC Summary
Malware Family: RedTail Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]197[.]39[.]208:80 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 180[.]93[.]43[.]226:80 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 181[.]104[.]43[.]225:80 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 192[.]3[.]16[.]60:80 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 195[.]54[.]179[.]244:80 | payload_delivery | 2026-06-15 | 80% |
| ip:port | 212[.]127[.]90[.]201:80 | payload_delivery | 2026-06-15 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["195.54.179.244", "180.93.43.226", "138.197.39.208", "212.127.90.201", "192.3.16.60", "181.104.43.225"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.54.179.244", "180.93.43.226", "138.197.39.208", "212.127.90.201", "192.3.16.60", "181.104.43.225"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the RedTail IOCs, such as a file path or registry key.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.parent_process_path contains "schtasks.exe"
Scenario: Admin Performing Software Inventory Scan
Description: An administrator is using a tool like Microsoft System Center Configuration Manager (SCCM) to scan for software inventory, which may trigger a RedTail IOC due to similar file names or paths.
Filter/Exclusion: process.name == "ConfigMgrClient.exe" or process.name contains "SCCM"
Scenario: Log File Rotation or Archiving
Description: A log rotation tool like logrotate or Windows Event Log Management may generate files that match RedTail IOCs due to similar naming conventions.
Filter/Exclusion: file.name contains "logrotate" or "eventlog"
Scenario: Antivirus or EDR Software Scanning
Description: A legitimate EDR tool like CrowdStrike Falcon or Microsoft Defender may generate temporary files or artifacts that match RedTail IOCs during a scan.
Filter/Exclusion: process.name contains "Falcon" or "MsDefender"
Scenario: Database Backup Job Execution
Description: A database backup job using SQL Server Agent or Oracle Job Scheduler may create temporary files or use paths that match RedTail IOCs.
Filter/Exclusion: process.name contains "sqlservr.exe" or "oracle.exe" or process.command_line contains "backup"