The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with these IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing long-term access to the network.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 3 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sharedtafel.com/Grandfest.exe | payload_delivery | 2026-06-15 | 50% |
| domain | metsfgsd.duckdns.org | botnet_cc | 2026-06-15 | 50% |
| domain | landgforce.duckdns.org | botnet_cc | 2026-06-15 | 50% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown RAT
let malicious_domains = dynamic(["metsfgsd.duckdns.org", "landgforce.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown RAT
let malicious_urls = dynamic(["https://sharedtafel.com/Grandfest.exe"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or WSUS
Filter/Exclusion: Exclude processes associated with wuauclt.exe, svchost.exe (with Windows Update service), or any known update-related binaries.
Scenario: Scheduled backup job using Veeam Backup & Replication or Veeam Agent
Filter/Exclusion: Exclude processes with veeam or veeambackup in the command line, or those running under a known backup service account.
Scenario: Admin task using PowerShell to configure system settings or deploy software
Filter/Exclusion: Exclude PowerShell scripts that match known administrative tasks (e.g., Configure-VM, Install-WindowsFeature) or are executed by a privileged user account.
Scenario: Log collection or monitoring tool like Splunk or ELK Stack performing data ingestion
Filter/Exclusion: Exclude processes associated with splunkd.exe, logstash, or fluentd, or those writing to known log directories.
Scenario: Database maintenance task using SQL Server Agent Job or MySQL scheduled event
Filter/Exclusion: Exclude processes related to sqlservr.exe, mysqld, or any known database maintenance scripts executed by a DBA account.