The detection identifies potential EtherRAT malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: EtherRAT Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | onetasknext.eastasia.cloudapp.azure.com | botnet_cc | 2026-06-12 | 100% |
| domain | sydelorme.com | botnet_cc | 2026-06-12 | 100% |
| domain | davidkapor.com | botnet_cc | 2026-06-12 | 100% |
| domain | swgraphic.com | botnet_cc | 2026-06-12 | 100% |
| domain | foodnflavors.com | botnet_cc | 2026-06-12 | 100% |
| domain | procuducts.southafricanorth.cloudapp.azure.com | botnet_cc | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - EtherRAT
let malicious_domains = dynamic(["onetasknext.eastasia.cloudapp.azure.com", "sydelorme.com", "davidkapor.com", "swgraphic.com", "foodnflavors.com", "procuducts.southafricanorth.cloudapp.azure.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup or log rotation) may trigger the rule if it matches the IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known benign command line or filter based on the task name containing “maintenance” or “cleanup”.
Scenario: Admin Tool for Network Monitoring
Description: A network monitoring tool like Wireshark or tcpdump may execute network-related binaries that overlap with EtherRAT IOCs.
Filter/Exclusion: Exclude processes running under the user context of a known network admin or filter based on the process name containing “wireshark” or “tcpdump”.
Scenario: Antivirus Scan Using ClamAV
Description: A ClamAV antivirus scan may invoke binaries that match the IOCs due to signature overlap.
Filter/Exclusion: Exclude processes with the full path containing “clamav” or filter based on the parent process being clamd or freshclam.
Scenario: Log Collection via Logstash
Description: A log collection tool like Logstash may use binaries or scripts that resemble EtherRAT IOCs during data ingestion.
Filter/Exclusion: Exclude processes with the command line containing “logstash” or filter based on the parent process being java (common for Logstash).
Scenario: System File Integrity Check with Tripwire
Description: A Tripwire integrity check may trigger the rule if it uses utilities that match EtherRAT IOCs.
Filter/Exclusion: Exclude processes with the command line containing “tripwire” or filter based on the process name containing “tripwire” or “check”.