The detection identifies potential command and control communication from an unknown remote access trojan, leveraging suspicious network IOCs to exfiltrate data or maintain persistence. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]41[.]91:2026 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 45[.]11[.]181[.]191:8443 | botnet_cc | 2026-06-03 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["91.92.41.91", "45.11.181.191"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.41.91", "45.11.181.191"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Integrity Check Using sfc /scannow
Description: The System File Checker tool is running a scheduled integrity scan, which may trigger IOCs related to system file access.
Filter/Exclusion: Exclude processes where the command line includes sfc /scannow or sfc /scannow /offbootdir
Scenario: Admin Task: Windows Defender Signature Update
Description: Windows Defender is performing a scheduled signature update, which may involve accessing known malicious IOCs in its database.
Filter/Exclusion: Exclude processes with the parent process svchost.exe and command line containing MpCmdRun.exe -SignatureUpdate
Scenario: Legitimate Log Collection via logrotate
Description: The logrotate utility is rotating and compressing log files, which may involve accessing files or paths that resemble malicious IOCs.
Filter/Exclusion: Exclude processes where the command line includes logrotate or rsync used for log management
Scenario: Database Backup Job Using mysqldump
Description: A scheduled database backup job using mysqldump may involve accessing database files or temporary directories that match IOC patterns.
Filter/Exclusion: Exclude processes with the command line containing mysqldump or mysqlbackup and associated with known backup schedules
Scenario: PowerShell Script for System Monitoring
Description: A legitimate PowerShell script used for system monitoring or compliance checks may interact with system files or registry keys that match IOC patterns.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path is known to be part of the enterprise’s monitoring tools (e.g., C:\scripts\monitoring.ps1)