The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early, reducing the risk of data exfiltration and lateral movement.
IOC Summary
Malware Family: RedTail Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 107[.]172[.]252[.]155:2375 | payload_delivery | 2026-06-07 | 85% |
| ip:port | 47[.]253[.]5[.]130:2375 | payload_delivery | 2026-06-07 | 85% |
| ip:port | 118[.]26[.]111[.]107:80 | payload_delivery | 2026-06-07 | 85% |
| ip:port | 31[.]77[.]156[.]62:80 | payload_delivery | 2026-06-07 | 85% |
| ip:port | 95[.]59[.]142[.]69:2375 | payload_delivery | 2026-06-07 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["31.77.156.62", "107.172.252.155", "118.26.111.107", "47.253.5.130", "95.59.142.69"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.77.156.62", "107.172.252.155", "118.26.111.107", "47.253.5.130", "95.59.142.69"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by veeam or VeeamBackup with command-line arguments containing backup or schedule.
Scenario: Admin task to update Microsoft Endpoint Protection definitions
Filter/Exclusion: Exclude processes with the executable name mpcmdrun.exe or command-line arguments containing mpengine or update.
Scenario: Legitimate use of PowerShell for log management via Logstash
Filter/Exclusion: Exclude PowerShell scripts executed by logstash or with command-line arguments containing logstash-forwarder or logstash.
Scenario: Regular execution of Windows Task Scheduler jobs for system maintenance
Filter/Exclusion: Exclude processes launched by schtasks.exe or with command-line arguments containing schtasks or taskname matching known maintenance tasks.
Scenario: Use of Splunk Forwarder to send logs to a central Splunk instance
Filter/Exclusion: Exclude processes with the executable name splunkforwarder or command-line arguments containing splunk or forwarder.