The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group by identifying known malicious indicators associated with their infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 13[.]140[.]155[.]136:2375 | payload_delivery | 2026-06-21 | 80% |
| ip:port | 167[.]172[.]152[.]94:80 | payload_delivery | 2026-06-21 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["167.172.152.94", "13.140.155.136"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.172.152.94", "13.140.155.136"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the RedTail IOC pattern (e.g., C:\Windows\System32\svchost.exe or taskmgr.exe).
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.name == "schtasks.exe"
Scenario: Admin Performing System Cleanup
Description: An administrator uses the built-in cleanmgr.exe tool to perform disk cleanup, which may trigger the IOC due to its execution path or command-line arguments.
Filter/Exclusion: process.name == "cleanmgr.exe" or process.parent_process_name == "explorer.exe"
Scenario: Running Microsoft System File Checker (SFC)
Description: The sfc.exe tool is executed as part of a system integrity check, which may be flagged due to its file path or command-line arguments.
Filter/Exclusion: process.name == "sfc.exe" or process.parent_process_name == "explorer.exe"
Scenario: PowerShell Script for Log Management
Description: A PowerShell script (e.g., powershell.exe) is used to manage logs or perform administrative tasks, and its execution path or arguments match the RedTail IOC.
Filter/Exclusion: process.name == "powershell.exe" and process.parent_process_name == "Windows PowerShell"
Scenario: Antivirus or EDR Tool Scanning
Description: A legitimate antivirus or EDR tool (e.g., Microsoft Defender, CrowdStrike Falcon) performs a scan and its process or command-line arguments match the RedTail IOC.
Filter/Exclusion: process.name == "Windows Defender Antivirus", process.name == "falcon.exe", or `process.parent_process_name