The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise associated with this malicious actor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 47[.]253[.]94[.]140:2375 | payload_delivery | 2026-06-08 | 85% |
| ip:port | 45[.]238[.]101[.]91:2375 | payload_delivery | 2026-06-08 | 85% |
| ip:port | 189[.]51[.]43[.]54:80 | payload_delivery | 2026-06-08 | 85% |
| ip:port | 167[.]126[.]6[.]183:80 | payload_delivery | 2026-06-08 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["167.126.6.183", "45.238.101.91", "189.51.43.54", "47.253.94.140"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.126.6.183", "45.238.101.91", "189.51.43.54", "47.253.94.140"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled task runs a script that downloads a file from a known RedTail IOC source as part of a system update or patching process.
Filter/Exclusion: Exclude files downloaded from internal update servers or signed by known enterprise patching tools (e.g., Windows Update, WSUS, or Chocolatey).
Scenario: Administrative Tool Usage
Description: An admin uses a legitimate tool like PowerShell or Task Scheduler to execute a script that interacts with a RedTail IOC (e.g., for log analysis or configuration management).
Filter/Exclusion: Exclude processes initiated by admin accounts with known legitimate scripts or tools (e.g., PowerShell.exe with Get-EventLog or Get-ChildItem).
Scenario: Log Collection and Analysis
Description: A security tool like Splunk, ELK Stack, or Graylog is configured to collect and analyze logs, which may include IP addresses or hashes associated with RedTail.
Filter/Exclusion: Exclude traffic from known log collection tools or internal monitoring systems (e.g., splunkd.exe, logstash, or graylog-server).
Scenario: Third-Party Software Integration
Description: A third-party software integration (e.g., Microsoft Intune, ServiceNow, or Jira) may use a RedTail IOC as part of its API or internal communication.
Filter/Exclusion: Exclude traffic from known third-party integration services or internal API endpoints (e.g., intune.microsoft.com, servicenow.com, or jira.example.com).
Scenario: Internal RedTeam Exercise
Description: A red team exercise or penetration test includes the use of