The detection identifies potential Brute Ratel C4 infrastructure usage through associated IOCs, indicating possible adversary command and control communication. SOC teams should proactively hunt for this behavior to detect and disrupt early-stage C4 operations in their Azure Sentinel environment.
IOC Summary
Malware Family: Brute Ratel C4 Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 44[.]241[.]110[.]100:443 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 44[.]241[.]110[.]100:80 | botnet_cc | 2026-05-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Brute Ratel C4
let malicious_ips = dynamic(["44.241.110.100"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["44.241.110.100"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system maintenance using task scheduler
Filter/Exclusion: Exclude events related to task scheduler with command-line arguments containing schtasks or schtasks.exe
Scenario: Administrative task using PowerShell to generate reports with Export-Csv
Filter/Exclusion: Exclude PowerShell scripts that use Export-Csv or Out-File and are executed from known administrative tools like PowerShell.exe or powershell.exe
Scenario: Regular log file rotation using logrotate on Linux systems
Filter/Exclusion: Exclude processes related to logrotate or logrotate.conf and filter out any IOCs that match known log rotation tool paths
Scenario: System update or patching process using Windows Update or WSUS
Filter/Exclusion: Exclude processes initiated by wuauclt.exe or wuauserv and filter out any IOCs that match known Windows Update service components
Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic for analysis
Filter/Exclusion: Exclude processes running tcpdump or Wireshark and filter out any IOCs that match the known paths or command-line arguments of these tools