Adversaries using EtherRAT may exfiltrate data and execute commands through unusual outbound network traffic, indicating potential remote access and command-and-control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: EtherRAT Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | issueall.com | botnet_cc | 2026-05-27 | 100% |
| domain | dakindsoups.com | botnet_cc | 2026-05-27 | 100% |
| domain | webiqonline.com | botnet_cc | 2026-05-27 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - EtherRAT
let malicious_domains = dynamic(["issueall.com", "dakindsoups.com", "webiqonline.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system update via PowerShell
Description: A scheduled task using PowerShell to download and install a system update from Microsoft’s public server.
Filter/Exclusion: Check the destination field for known Microsoft update servers (e.g., download.microsoft.com) and verify the process_name is powershell.exe with a known update script.
Scenario: Admin task using Wireshark for network analysis
Description: A system administrator is using Wireshark to capture and analyze network traffic for troubleshooting purposes.
Filter/Exclusion: Filter by process_name to exclude wireshark.exe or use a custom field to tag traffic originating from known admin tools.
Scenario: Automated backup job using Veeam
Description: A Veeam backup job is transferring data to a remote backup server, which may appear as outbound traffic.
Filter/Exclusion: Check the destination field for known backup server IP addresses or domain names associated with Veeam, and verify the process_name is veeam.exe.
Scenario: User accessing a phishing link for a legitimate training program
Description: An employee clicks on a phishing link from a trusted internal training portal, which is flagged as malicious.
Filter/Exclusion: Filter by source IP to exclude internal network ranges, and check the url field for known internal training domains.
Scenario: Malware analysis in a sandbox environment
Description: A security team is running a suspected malicious file in a sandbox environment to analyze its behavior.
Filter/Exclusion: Check the process_name for sandboxing tools like Cuckoo Sandbox or Joe Sandbox, and verify the destination is a known sandbox IP or virtual machine.