The ThreatFox: EtherRAT IOCs rule detects potential command and control communication associated with the EtherRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could lead to long-term data breaches and system compromise.
IOC Summary
Malware Family: EtherRAT Total IOCs: 6 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | onetasknext.eastasia.cloudapp.azure.com | botnet_cc | 2026-06-12 | 100% |
| domain | sydelorme.com | botnet_cc | 2026-06-12 | 100% |
| domain | davidkapor.com | botnet_cc | 2026-06-12 | 100% |
| domain | swgraphic.com | botnet_cc | 2026-06-12 | 100% |
| domain | foodnflavors.com | botnet_cc | 2026-06-12 | 100% |
| domain | procuducts.southafricanorth.cloudapp.azure.com | botnet_cc | 2026-06-12 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - EtherRAT
let malicious_domains = dynamic(["onetasknext.eastasia.cloudapp.azure.com", "sydelorme.com", "davidkapor.com", "swgraphic.com", "foodnflavors.com", "procuducts.southafricanorth.cloudapp.azure.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that matches one of the EtherRAT IOCs due to a naming similarity.
Filter/Exclusion: Exclude packages installed via Chocolatey using the process.parent_process field containing choco or chocolatey in the command line.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that uses a tool like logparser or PowerShell to collect logs, which may trigger an IOC due to similar command-line arguments.
Filter/Exclusion: Exclude processes with logparser.exe, powershell.exe (with -Command or -File arguments pointing to known log collection scripts), or task scheduler as the parent process.
Scenario: Admin Task for Network Monitoring
Description: An admin uses tcpdump or Wireshark to monitor network traffic, which may include IP addresses or ports that match EtherRAT IOCs.
Filter/Exclusion: Exclude processes with tcpdump.exe, wireshark.exe, or nmap.exe in the command line, or filter by user account with admin privileges.
Scenario: Legitimate Use of Process Monitor (ProcMon)
Description: A security analyst uses Process Monitor (ProcMon) to investigate system behavior, which may include file paths or registry keys that match EtherRAT IOCs.
Filter/Exclusion: Exclude processes with procmon.exe or procmon64.exe in the command line, or filter by user account associated with the security team.
Scenario: Use of PowerShell for System Maintenance
Description: A system maintenance script using PowerShell may execute commands that resemble malicious behavior, such as registry modifications or file access, which could trigger