The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with these IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing long-term access to the network.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 5 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://193[.]233[.]113[.]202/api/upload-data | botnet_cc | 2026-05-05 | 100% |
| url | hxxp://212[.]162[.]150[.]121/api/keylog | botnet_cc | 2026-05-05 | 100% |
| url | hxxp://193[.]233[.]113[.]202/ws/client | botnet_cc | 2026-05-05 | 100% |
| url | hxxp://193[.]233[.]113[.]202/api/keylog | botnet_cc | 2026-05-05 | 100% |
| ip:port | 193[.]233[.]113[.]202:80 | botnet_cc | 2026-05-05 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["193.233.113.202"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.233.113.202"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown RAT
let malicious_urls = dynamic(["http://193.233.113.202/api/upload-data", "http://212.162.150.121/api/keylog", "http://193.233.113.202/ws/client", "http://193.233.113.202/api/keylog"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or C:\Windows\System32\wbem\wmic.exe).
Filter/Exclusion: process.parent_process == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: PowerShell Script for System Monitoring
Description: A security team uses PowerShell scripts (e.g., powershell.exe -Command "Get-EventLog -LogName System") that may trigger the IOC due to command-line similarity.
Filter/Exclusion: process.command_line contains "Get-EventLog" or process.parent_process == "Windows PowerShell"
Scenario: Software Update or Patch Deployment
Description: A legitimate update process (e.g., C:\Windows\System32\msiexec.exe) may trigger the rule due to file or registry IOCs.
Filter/Exclusion: process.command_line contains "msiexec.exe" or file.path contains "WindowsUpdate"
Scenario: Admin Task for Log Collection
Description: An admin runs a log collection tool (e.g., C:\Windows\System32\LogCollect.exe) that may match the IOC pattern.
Filter/Exclusion: process.command_line contains "LogCollect.exe" or process.user == "Administrators"
Scenario: Antivirus or EDR Agent Activity
Description: A legitimate security tool (e.g., C:\Program Files\Microsoft\Windows Defender\MsmpEng.exe) may trigger the rule due to its file or network activity.
Filter/Exclusion: process.file_path contains "Windows Defender" or process.name == "MsmpEng.exe"