The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with the IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing long-term access to the network.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 7 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ojuritosc.com | botnet_cc | 2026-06-10 | 100% |
| ip:port | 79[.]124[.]8[.]44:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 45[.]129[.]231[.]1:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 203[.]159[.]90[.]82:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 94[.]141[.]122[.]148:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 178[.]16[.]52[.]66:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 151[.]247[.]193[.]18:8443 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["79.124.8.44", "94.141.122.148", "203.159.90.82", "151.247.193.18", "178.16.52.66", "45.129.231.1"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["79.124.8.44", "94.141.122.148", "203.159.90.82", "151.247.193.18", "178.16.52.66", "45.129.231.1"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown RAT
let malicious_domains = dynamic(["ojuritosc.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or C:\Windows\System32\cmd.exe) as part of routine system maintenance.
Filter/Exclusion: process.parent_process == "Task Scheduler" OR process.command_line contains "schtasks.exe"
Scenario: Windows Update or Patching Job
Description: A patching or update job uses a known administrative tool like PsExec or WMIC to execute updates, which may trigger the IOC pattern.
Filter/Exclusion: process.name == "wusa.exe" OR process.name == "msiexec.exe" OR process.command_line contains "WindowsUpdate"
Scenario: Log Management Tool Execution
Description: A log management tool like Splunk or ELK Stack runs a script that matches the IOC pattern (e.g., C:\Program Files\Splunk\bin\splunk.exe) during configuration or data ingestion.
Filter/Exclusion: process.name contains "splunk" OR process.name contains "elasticsearch"
Scenario: Remote Desktop Services (RDP) Session
Description: A legitimate RDP session may involve the use of mstsc.exe or tsclient.exe, which could be flagged due to similar command-line patterns.
Filter/Exclusion: process.name == "mstsc.exe" OR process.name == "tsclient.exe"
Scenario: Administrative PowerShell Script Execution
Description: An admin runs a PowerShell script using powershell.exe that includes command-line arguments matching the IOC pattern (e.g., -Command or -File).
*Filter/