The ThreatFox: Unknown RAT IOCs rule detects potential adversary activity involving unknown remote access tools by identifying suspicious network traffic and file artifacts associated with these IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from advanced persistent threats leveraging unknown RATs.
IOC Summary
Malware Family: Unknown RAT Total IOCs: 7 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]26[.]0[.]10:25565 | botnet_cc | 2026-06-04 | 75% |
| domain | hsh1serverboarding.xyz | botnet_cc | 2026-06-04 | 100% |
| ip:port | 95[.]164[.]53[.]134:4521 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 151[.]243[.]113[.]94:5173 | botnet_cc | 2026-06-04 | 75% |
| domain | download-windows-update.live | botnet_cc | 2026-06-04 | 100% |
| ip:port | 209[.]25[.]140[.]22:1522 | botnet_cc | 2026-06-04 | 75% |
| domain | mineral-considerable.with.playit.plus | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown RAT
let malicious_ips = dynamic(["151.243.113.94", "209.25.140.22", "2.26.0.10", "95.164.53.134"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.243.113.94", "209.25.140.22", "2.26.0.10", "95.164.53.134"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown RAT
let malicious_domains = dynamic(["hsh1serverboarding.xyz", "download-windows-update.live", "mineral-considerable.with.playit.plus"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a scheduled backup job that uses a legitimate tool like rsync or Veeam which coincidentally matches one of the IOCs in the ThreatFox list.
Filter/Exclusion: Exclude processes initiated by the system account (SYSTEM) or those with a command line containing backup, rsync, or veeam.
Scenario: A security team is performing a red team exercise using a legitimate penetration testing tool like Metasploit or Nmap, which may have IOCs that match the Unknown RAT signature.
Filter/Exclusion: Exclude processes with a command line containing metasploit, nmap, or msfconsole, or those running from a known red team directory.
Scenario: A user is executing a legitimate administrative task, such as updating a system via Windows Update or using PowerShell to configure a service, which may have a command line that matches an IOC.
Filter/Exclusion: Exclude processes with a command line containing wuauclt, PowerShell.exe, or msiexec, or those initiated by a user with administrative privileges during a known maintenance window.
Scenario: A legitimate log management tool like Splunk or ELK Stack is configured to collect and process logs, and its internal processes may trigger an IOC due to file names or network connections.
Filter/Exclusion: Exclude processes associated with splunkd, logstash, or kibana, or those connecting to internal log collection servers.
Scenario: A developer is using a legitimate code signing tool like SignTool or codesign to sign a package, and the tool’s execution path or network activity matches an IOC.
Filter/Exclusion: Exclude processes with a command line containing signtool, codesign,