The detection identifies potential unknown remote access trojan (RAT) activity through suspicious IOCs that may indicate adversary persistence or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy, previously unseen threats that could compromise organizational assets.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]245[.]95[.]9:7601 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 194[.]26[.]192[.]187:443 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["172.245.95.9", "194.26.192.187"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.245.95.9", "194.26.192.187"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file from a known internal repository, which coincidentally matches an IOC from a previously seen RAT.
Filter/Exclusion: Exclude files downloaded from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))
Scenario: Software Update via Microsoft Intune
Description: A company uses Microsoft Intune to push updates, and one of the update packages contains a file that matches an IOC from an unknown RAT.
Filter/Exclusion: Exclude files signed by Microsoft or associated with known update mechanisms (e.g., file_hash IN (Microsoft-signed hashes) or process_name = "msiexec.exe")
Scenario: Admin Performing Remote PowerShell Scripting
Description: An admin uses PowerShell to remotely manage servers and inadvertently executes a script that matches an IOC from an unknown RAT.
Filter/Exclusion: Exclude PowerShell scripts executed by admin accounts with known privileges (e.g., user = "admin_user" AND process_name = "powershell.exe")
Scenario: Log Collection via Splunk Forwarder
Description: A Splunk forwarder is configured to collect logs and sends data to a central server, which matches an IOC from an unknown RAT.
Filter/Exclusion: Exclude traffic from known Splunk forwarder IPs or processes (e.g., process_name = "splunkforwarder.exe" or src_ip IN (Splunk-forwarder-IPs))
Scenario: Internal Tool for Configuration Management
Description: A company uses an internal configuration management tool (e.g., Ansible, Puppet)