The ThreatFox: Xtreme RAT IOCs rule detects potential adversary activity associated with the Xtreme RAT malware, which is known for its persistence, remote command execution, and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage to the environment.
IOC Summary
Malware Family: Xtreme RAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]41[.]194[.]82:139 | botnet_cc | 2026-06-01 | 50% |
| ip:port | 149[.]12[.]67[.]243:445 | botnet_cc | 2026-06-01 | 50% |
| ip:port | 94[.]99[.]72[.]225:3055 | botnet_cc | 2026-06-01 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Xtreme RAT
let malicious_ips = dynamic(["94.99.72.225", "149.12.67.243", "154.41.194.82"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.99.72.225", "149.12.67.243", "154.41.194.82"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using psutil library
Description: A scheduled job runs a Python script using the psutil library to monitor system resources, which may trigger the rule due to similar IOCs.
Filter/Exclusion: Exclude processes that match the full path of the legitimate Python script used for system monitoring (e.g., /opt/monitoring/psutil_monitor.py).
Scenario: Admin task using netstat for network diagnostics
Description: An administrator runs netstat to check for open ports or active connections, which may be flagged due to similar command-line arguments or network activity.
Filter/Exclusion: Exclude processes with the full command line containing netstat -an or similar diagnostic commands.
Scenario: Legitimate use of wget for software updates
Description: A system administrator uses wget to download a legitimate software update from an internal repository, which may be flagged due to the presence of suspicious URLs or file names.
Filter/Exclusion: Exclude processes where the URL or file path matches known internal update servers (e.g., https://updates.internalcorp.com/).
Scenario: PowerShell script for log analysis
Description: A PowerShell script is used to parse and analyze system logs, which may trigger the rule due to similar command-line usage or file access patterns.
Filter/Exclusion: Exclude processes that match the full path of the legitimate log analysis script (e.g., C:\scripts\log_analyzer.ps1).
Scenario: Use of tar for archiving system backups
Description: A backup process uses tar to archive system files, which may be flagged due to similar file operations or command-line arguments.
Filter/Exclusion: Exclude processes that match the full command line of the backup