The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be establishing a foothold in the environment.
IOC Summary
Malware Family: RedTail Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]236[.]83[.]40:2375 | payload_delivery | 2026-06-05 | 80% |
| ip:port | 220[.]162[.]198[.]142:2375 | payload_delivery | 2026-06-05 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["220.162.198.142", "104.236.83.40"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["220.162.198.142", "104.236.83.40"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or Group Policy Object (GPO) deployment
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gupdate.exe, or filter by ParentProcess being services.exe or svchost.exe
Scenario: Scheduled job for Microsoft Endpoint Detection and Response (EDR) or Microsoft Defender for Endpoint
Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe or MSPaint.exe (for Defender), or check for CommandLine containing mpcmdrun.exe with known EDR command-line arguments
Scenario: PowerShell script execution for routine system maintenance or configuration management (e.g., using PowerShell DSC or Ansible)
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing known DSC or Ansible command-line switches (e.g., -File, -Command)
Scenario: Log management tool such as Splunk or ELK Stack performing data ingestion or indexing
Filter/Exclusion: Filter by ProcessName containing splunkd.exe, logstash, or java (for Elasticsearch), or check for CommandLine containing known log ingestion flags
Scenario: Backup and restore operations using Veeam, Commvault, or Veritas NetBackup
Filter/Exclusion: Filter by ProcessName containing veeam.exe, cvbackup.exe, or nbprocess.exe, or check for CommandLine containing backup-related flags or paths