The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with their malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they escalate and compromise critical assets.
IOC Summary
Malware Family: RedTail Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 143[.]110[.]165[.]73:2375 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 79[.]143[.]178[.]79:2375 | payload_delivery | 2026-06-04 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["143.110.165.73", "79.143.178.79"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["143.110.165.73", "79.143.178.79"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using RedTail as part of a legitimate enterprise toolchain
Filter/Exclusion: Exclude processes initiated by known patch management tools (e.g., Microsoft Update, WSUS, Ansible, Chef) or scheduled tasks related to system maintenance.
Scenario: Scheduled backup job using RedTail for data archiving
Filter/Exclusion: Exclude processes associated with backup tools (e.g., Veeam, Commvault, Veritas) or tasks running under a backup service account.
Scenario: Admin task to configure RedTail for internal monitoring purposes
Filter/Exclusion: Exclude processes initiated by privileged accounts (e.g., Administrator, Domain Admins) during known configuration windows or via remote management tools (e.g., Remote Desktop, PowerShell Remoting).
Scenario: RedTail used for internal threat intelligence sharing between security teams
Filter/Exclusion: Exclude processes involving internal IP ranges, internal domains, or known internal threat intelligence platforms (e.g., Splunk, QRadar, SIEM systems).
Scenario: RedTail used as a legitimate endpoint detection and response (EDR) tool
Filter/Exclusion: Exclude processes associated with EDR tools (e.g., CrowdStrike, SentinelOne, Microsoft Defender ATP) or tasks running under the EDR agent service account.