The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving an unknown remote access trojan by identifying suspicious network traffic and file artifacts associated with the IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing long-term access to the network.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 216[.]126[.]237[.]248:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 216[.]126[.]227[.]207:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 216[.]126[.]227[.]126:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 172[.]86[.]126[.]21:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 172[.]86[.]126[.]200:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 172[.]86[.]117[.]21:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 167[.]88[.]166[.]155:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 167[.]88[.]166[.]106:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]172[.]99[.]94:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]172[.]94[.]21:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]172[.]116[.]114:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]172[.]115[.]45:443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]172[.]109[.]163:443 | botnet_cc | 2026-06-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["216.126.237.248", "172.86.117.21", "144.172.94.21", "172.86.126.200", "144.172.115.45", "216.126.227.126", "144.172.99.94", "172.86.126.21", "144.172.116.114", "216.126.227.207", "144.172.109.163", "167.88.166.155", "167.88.166.106"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["216.126.237.248", "172.86.117.21", "144.172.94.21", "172.86.126.200", "144.172.115.45", "216.126.227.126", "144.172.99.94", "172.86.126.21", "144.172.116.114", "216.126.227.207", "144.172.109.163", "167.88.166.155", "167.88.166.106"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a scheduled backup job that uses a legitimate tool like rsync or robocopy to transfer data across the network.
Filter/Exclusion: Exclude traffic originating from known backup tools or processes, such as rsync, robocopy, or backupexec.
Scenario: A security analyst is using the Process Explorer tool (from Sysinternals) to investigate a suspicious process, which may result in network IOCs being captured.
Filter/Exclusion: Exclude processes associated with known security tools like Process Explorer, Procmon, or Wireshark.
Scenario: A system update or patching task uses wget or curl to download a legitimate update from an internal repository.
Filter/Exclusion: Exclude traffic to internal update servers or known internal repositories, such as internal-repo.example.com or patchserver.example.com.
Scenario: A developer is using docker or kubernetes to deploy a containerized application, which may involve network communication with container registries.
Filter/Exclusion: Exclude traffic to known container registries (e.g., dockerhub, quay.io, or internal registry URLs) and processes related to container orchestration tools.
Scenario: A user is running a legitimate remote desktop protocol (RDP) session or using teamviewer for remote support, which may generate network IOCs.
Filter/Exclusion: Exclude traffic associated with known remote access tools like RDP, TeamViewer, or AnyDesk, and filter by known internal IP ranges or trusted hosts.