The ThreatFox: Xtreme RAT IOCs rule detects potential remote access by an adversary using Xtreme RAT, which allows unauthorized command execution and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage this RAT for long-term system control.
IOC Summary
Malware Family: Xtreme RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]41[.]194[.]132:139 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 38[.]124[.]86[.]253:445 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Xtreme RAT
let malicious_ips = dynamic(["38.124.86.253", "154.41.194.132"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.124.86.253", "154.41.194.132"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A system administrator schedules a legitimate job using schtasks.exe to run a script that performs routine maintenance, which coincidentally matches the hash or file name of Xtreme RAT.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or scripts.
Scenario: Microsoft System Center Configuration Manager (SCCM) Deployment
Description: A patch or configuration update is deployed via SCCM using msiexec.exe, which may have a file name or hash that matches Xtreme RAT IOCs.
Filter/Exclusion: Exclude processes launched by msiexec.exe with a known valid MSI package path or signature.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script named Xtreme.ps1 is used by the IT department to monitor system performance, which is mistakenly flagged by the rule.
Filter/Exclusion: Exclude PowerShell scripts with a known legitimate author or that are located in a trusted script directory (e.g., C:\Windows\System32\) or signed by a trusted certificate.
Scenario: Antivirus Quarantine File
Description: A file previously identified as malicious by an antivirus tool is quarantined and later moved to a safe location, causing a false positive.
Filter/Exclusion: Exclude files that are in the antivirus quarantine directory or have a known sandbox or quarantine signature.
Scenario: Legitimate Third-Party Tool with Similar Name
Description: A legitimate third-party tool, such as XtremeMonitor.exe, is used for system diagnostics and has a name similar to Xtreme RAT.
Filter/Exclusion: Exclude processes with a known legitimate vendor or that are digitally signed by a trusted publisher.