The ThreatFox: Ghost RAT IOCs rule detects potential command and control communication associated with the Ghost RAT, a high-impact remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging Ghost RAT for data exfiltration and system compromise.
IOC Summary
Malware Family: Ghost RAT Total IOCs: 3 IOC Types: sha256_hash, md5_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | f16c4398c613a78c391f2e721f95d879e9bd356c | payload | 2026-06-13 | 95% |
| md5_hash | fceaf8af1a6e83e0a1ae35a4a2fa35a7 | payload | 2026-06-13 | 95% |
| sha256_hash | af71d8886f256bf2393b1bf6d44b2fcb50d7d546e49bb7b6fbe151a3cf2032f5 | payload | 2026-06-13 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Ghost RAT
let malicious_hashes = dynamic(["f16c4398c613a78c391f2e721f95d879e9bd356c", "fceaf8af1a6e83e0a1ae35a4a2fa35a7", "af71d8886f256bf2393b1bf6d44b2fcb50d7d546e49bb7b6fbe151a3cf2032f5"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that matches one of the Ghost RAT IOCs.
Filter/Exclusion: Check the process.name field for choco.exe or chocolatey in the command line arguments. Exclude processes initiated by the Chocolatey package manager.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that uses a tool like logparser.exe or PowerShell to collect logs, which coincidentally matches a Ghost RAT IOC.
Filter/Exclusion: Filter by process.name for logparser.exe or check for powershell.exe with command lines containing log or eventlog.
Scenario: Admin Task Using PsExec for Remote Management
Description: An administrator uses PsExec to remotely execute a script or command, which may include a file or command line that matches a Ghost RAT IOC.
Filter/Exclusion: Check for psexec.exe in the process name or command line, and verify if the process is initiated by a known admin account or during a scheduled maintenance window.
Scenario: Legitimate Antivirus Scan Using ClamAV
Description: A ClamAV scan is running and temporarily uses a file or command that matches a Ghost RAT IOC.
Filter/Exclusion: Filter by process.name for clamscan.exe or check for the presence of clamav in the command line.
Scenario: Network Monitoring Tool Using Wireshark
Description: A network monitoring tool like Wireshark is capturing traffic that includes a file or command line matching a Ghost RAT IOC.
Filter/Exclusion: Check for wireshark.exe in the process name or filter by