The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with these IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing unauthorized remote control over compromised systems.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]159[.]99[.]249:443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 158[.]94[.]209[.]27:443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 66[.]163[.]113[.]238:3333 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 190[.]255[.]90[.]152:5010 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["192.159.99.249", "66.163.113.238", "190.255.90.152", "158.94.209.27"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.159.99.249", "66.163.113.238", "190.255.90.152", "158.94.209.27"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or C:\Windows\System32\wbem\wmic.exe).
Filter/Exclusion: process.parent_process == "task scheduler" or process.name == "schtasks.exe"
Scenario: PowerShell Script for System Monitoring
Description: A system administrator uses PowerShell to monitor system performance, which may include commands like Get-Service or Get-EventLog that resemble malicious activity.
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "Get-Service" or "Get-EventLog"
Scenario: Antivirus Quarantine Scan
Description: An antivirus tool quarantines a file that matches the IOC pattern, such as C:\Windows\Temp\quarantine\*.exe.
Filter/Exclusion: process.name == "avastui.exe" or process.name == "mcafee.exe" (depending on the AV tool)
Scenario: Log Collection and Analysis Job
Description: A log collection tool like logparser.exe or splunkforwarder.exe processes logs and may trigger the rule due to file paths or commands.
Filter/Exclusion: process.name == "logparser.exe" or process.name == "splunkforwarder.exe"
Scenario: Software Update Deployment
Description: A legitimate software update process, such as Microsoft Update or a custom patching tool, may use scripts or binaries that match the IOC pattern.
Filter/Exclusion: process.name == "wusa.exe" or process.name == "msiexec.exe" with a known update package