The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with known malicious indicators. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage unknown RATs to maintain long-term access to compromised systems.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | texornacu.com | botnet_cc | 2026-05-24 | 100% |
| domain | winupdateservice.com | botnet_cc | 2026-05-24 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown RAT
let malicious_domains = dynamic(["texornacu.com", "winupdateservice.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file from a known benign domain, which is mistakenly flagged as a RAT IOC.
Filter/Exclusion: Exclude file downloads from known system maintenance tools (e.g., schtasks.exe, task scheduler, or psched.exe) or domains associated with internal IT management systems.
Scenario: Admin Tool for Remote Management
Description: An administrator uses a remote management tool like PsExec or Powershell to execute a script on a remote machine, which triggers the rule due to the use of a known RAT IOC.
Filter/Exclusion: Exclude connections or file executions initiated by known admin tools or from trusted IP ranges used for remote management.
Scenario: Software Update from Trusted Repository
Description: A software update from a trusted internal or external repository (e.g., Chocolatey, Ninite, or Microsoft Update) is flagged as a RAT IOC due to a false positive.
Filter/Exclusion: Exclude file hashes or domains associated with known software update mechanisms or internal package repositories.
Scenario: Log Collection and Analysis Job
Description: A log collection job (e.g., LogParser, Splunk, or ELK) downloads logs from a remote server, which is mistakenly identified as a RAT IOC.
Filter/Exclusion: Exclude traffic related to log aggregation tools or known log management services.
Scenario: Test Environment Artifact
Description: A test environment or development server uses a file or domain that is flagged as a RAT IOC during testing or simulation.
Filter/Exclusion: Exclude traffic from test environments, development servers, or internal staging systems using specific IP ranges or hostnames.