The detection identifies potential 4h_rat malware activity through known IOCs associated with this advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: 4h_rat Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | api.r0csgo.com | botnet_cc | 2026-06-22 | 75% |
| domain | ac-api-v3.r0csgo.com | botnet_cc | 2026-06-22 | 75% |
| domain | ac-socket.r0csgo.com | botnet_cc | 2026-06-22 | 75% |
| domain | local-api-direct.r0csgo.com | botnet_cc | 2026-06-22 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - 4h_rat
let malicious_domains = dynamic(["api.r0csgo.com", "ac-api-v3.r0csgo.com", "ac-socket.r0csgo.com", "local-api-direct.r0csgo.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script that matches the IOCs (e.g., a script named backup_4h_rat.sh or a file path like /backup/scripts/4h_rat.sh).
Filter/Exclusion: Exclude files matching the regex pattern .*backup.*\.sh$ or check for presence in a known backup directory like /backup/scripts/.
Scenario: Admin Task - PowerShell Script for Log Analysis
Description: An admin runs a PowerShell script named 4h_rat.ps1 to analyze system logs, which coincidentally matches the IOC pattern.
Filter/Exclusion: Exclude files with the .ps1 extension or filter based on the user context (e.g., only alert if executed by a non-admin user).
Scenario: Legitimate Software Update Process
Description: A software update process downloads a file named 4h_rat.exe from a trusted repository, which is mistakenly flagged due to a naming similarity.
Filter/Exclusion: Exclude files downloaded from known update servers (e.g., *.example.com/update/) or check the file’s digital signature.
Scenario: DevOps Pipeline Artifact
Description: A CI/CD pipeline artifact or build script is named 4h_rat.jar and is part of a legitimate development process.
Filter/Exclusion: Exclude files in known CI/CD directories (e.g., /ci/builds/, /artifacts/) or filter by file type (e.g., .jar files in a dev environment).
Scenario: User-Generated File with Similar Name
Description: A user creates a file named 4h_rat.txt for documentation or testing purposes, which triggers the rule due to the IOC pattern.
Filter/Exclusion: Exclude files with `.