The detection identifies potential Nanocore RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging Nanocore RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | algerium.io | botnet_cc | 2026-05-22 | 75% |
| ip:port | 68[.]134[.]58[.]120:54984 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["68.134.58.120"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["68.134.58.120"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["algerium.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from Microsoft Update.
Filter/Exclusion: Exclude any file paths containing MicrosoftUpdate or WindowsUpdate and filter out PowerShell scripts executed by the System or Administrator user with known update-related commands.
Scenario: A security analyst is performing a Windows Event Log analysis using LogParser to review recent system events.
Filter/Exclusion: Exclude processes associated with LogParser.exe and filter out events related to log analysis or system monitoring activities.
Scenario: A DevOps team is deploying a Docker container using Kubernetes and the container image includes a file with a name similar to a known Nanocore IOC.
Filter/Exclusion: Exclude files with .tar.gz or .docker extensions and filter out activities related to container orchestration tools like kubectl or kubeadm.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a backup job that generates a temporary file with a name matching a Nanocore IOC.
Filter/Exclusion: Exclude files created by sqlbackup.exe or sqlservr.exe and filter out processes associated with database backup operations.
Scenario: A user is running a third-party backup tool like Acronis True Image which creates temporary files with names that may match known IOCs.
Filter/Exclusion: Exclude files created by Acronis or TrueImage processes and filter out activities related to backup and restore operations.