The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with these IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing unauthorized remote control over compromised systems.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 22 IOC Types: ip:port, url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sharedtafel.com/Grandfest.exe | payload_delivery | 2026-06-15 | 50% |
| domain | metsfgsd.duckdns.org | botnet_cc | 2026-06-15 | 50% |
| domain | landgforce.duckdns.org | botnet_cc | 2026-06-15 | 50% |
| ip:port | 91[.]215[.]85[.]42:3000 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 124[.]198[.]131[.]74:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 124[.]198[.]132[.]139:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 62[.]60[.]226[.]155:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 46[.]151[.]182[.]197:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 64[.]89[.]160[.]96:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]188[.]149:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]188[.]180:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]188[.]210:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]190[.]206:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]188[.]199:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]190[.]86:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]185[.]52:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]184[.]206:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]184[.]6:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]184[.]204:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 209[.]99[.]185[.]82:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 77[.]83[.]39[.]195:443 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 77[.]83[.]39[.]246:443 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["209.99.188.180", "209.99.185.52", "209.99.190.206", "209.99.184.204", "209.99.184.6", "77.83.39.195", "209.99.190.86", "209.99.188.149", "209.99.188.210", "91.215.85.42", "209.99.184.206", "124.198.131.74", "77.83.39.246", "46.151.182.197", "64.89.160.96", "209.99.188.199", "124.198.132.139", "62.60.226.155", "209.99.185.82"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.99.188.180", "209.99.185.52", "209.99.190.206", "209.99.184.204", "209.99.184.6", "77.83.39.195", "209.99.190.86", "209.99.188.149", "209.99.188.210", "91.215.85.42", "209.99.184.206", "124.198.131.74", "77.83.39.246", "46.151.182.197", "64.89.160.96", "209.99.188.199", "124.198.132.139", "62.60.226.155", "209.99.185.82"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown RAT
let malicious_domains = dynamic(["metsfgsd.duckdns.org", "landgforce.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown RAT
let malicious_urls = dynamic(["https://sharedtafel.com/Grandfest.exe"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that performs system diagnostics or updates, which may include IOCs resembling malicious activity.
Filter/Exclusion: Exclude tasks associated with Task Scheduler or schtasks.exe with known maintenance scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command Get-Service).
Scenario: Log Collection and Analysis Tool
Description: A security tool like OSSEC or Splunk may execute scripts or binaries that are flagged as unknown RAT IOCs during log aggregation or analysis.
Filter/Exclusion: Exclude processes initiated by the log collection tool’s service or agent (e.g., ossec-agentd.exe, splunkd.exe).
Scenario: Admin PowerShell Script Execution
Description: An administrator runs a PowerShell script to configure system settings or manage services, which may include IOCs that match the RAT detection rule.
Filter/Exclusion: Exclude processes with powershell.exe launched by cmd.exe or Task Scheduler with known admin scripts (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command Set-Service).
Scenario: Software Update or Patching Job
Description: A patching tool like Microsoft Endpoint Configuration Manager (MECM) or WSUS may execute binaries or scripts that are mistakenly flagged as RAT IOCs during update processes.
Filter/Exclusion: Exclude processes associated with update tools (e.g., msiexec.exe, wusa.exe, ccmexec.exe).
Scenario: Network Monitoring Tool with Custom Scripts
Description: A network monitoring tool like Wireshark or tcpdump may