The RedTail IOCs detected in Azure Sentinel indicate potential adversary activity associated with a known malicious group leveraging these indicators to compromise systems. SOC teams should proactively hunt for these IOCs to identify and mitigate early-stage threats before they escalate into full-scale breaches.
IOC Summary
Malware Family: RedTail Total IOCs: 7 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 107[.]189[.]3[.]150:80 | payload_delivery | 2026-05-23 | 85% |
| ip:port | 140[.]99[.]32[.]48:80 | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://107[.]189[.]3[.]150/b2f628/cronb.sh | payload_delivery | 2026-05-23 | 90% |
| url | hxxp://209[.]141[.]58[.]166/b2f628/cronb.sh | payload_delivery | 2026-05-23 | 90% |
| url | hxxp://140[.]99[.]32[.]48/b2f628/cronb.sh | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://205[.]185[.]118[.]246/b2f628/cronb.sh | payload_delivery | 2026-05-23 | 90% |
| url | hxxp://b[.]9-9-8.com/brysj/cronb.sh | payload_delivery | 2026-05-23 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["107.189.3.150", "140.99.32.48"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["107.189.3.150", "140.99.32.48"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - RedTail
let malicious_urls = dynamic(["http://107.189.3.150/b2f628/cronb.sh", "http://209.141.58.166/b2f628/cronb.sh", "http://140.99.32.48/b2f628/cronb.sh", "http://205.185.118.246/b2f628/cronb.sh", "http://b.9-9-8.com/brysj/cronb.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the RedTail IOCs, such as a file path or registry key.
Filter/Exclusion: Exclude tasks with TaskName containing “SystemMaintenance” or Command containing schtasks.exe or sfc.exe.
Scenario: Admin Tool Usage (e.g., PowerShell or WMI)
Description: An administrator uses PowerShell or WMI to perform routine system diagnostics or configuration, which may trigger one of the RedTail IOCs.
Filter/Exclusion: Exclude processes with ProcessName containing powershell.exe or wmic.exe and CommandLine containing “admin” or “diagnostics”.
Scenario: Log File Analysis by SIEM Tools
Description: A SIEM tool like Splunk or ELK parses log files and generates alerts that match RedTail IOCs due to log content.
Filter/Exclusion: Exclude events with Source containing “Splunk” or “ELK” and EventID related to log parsing or indexing.
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Bitdefender or Kaspersky quarantines a file that matches a RedTail IOC, leading to a false positive.
Filter/Exclusion: Exclude processes with ProcessName containing “Bitdefender” or “Kaspersky” and ParentProcess containing “avp.exe” or “kav.exe”.
Scenario: Backup Job Execution
Description: A backup job using tools like Veeam or Acronis creates temporary files or uses paths that match RedTail IOCs.
Filter/Exclusion: Exclude processes with ProcessName containing “Veeam” or “Acronis” and `