The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or compromise critical systems.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | test3012.duckdns.org | botnet_cc | 2026-06-19 | 100% |
| domain | elroiseeme02.ip-ddns.com | botnet_cc | 2026-06-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["test3012.duckdns.org", "elroiseeme02.ip-ddns.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or use a custom field like file.name != "maintenance_script.ps1"
Scenario: Admin Performing PowerShell Script for Patch Management
Description: An admin runs a PowerShell script that uses a command or file path matching the Nanocore RAT IOC.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "admin_account" or add a custom field like file.name != "patch_update.ps1"
Scenario: Log Collection Tool Writing to a Temp Directory
Description: A log collection tool (e.g., Splunk, ELK) writes temporary files to a system directory that matches the IOC pattern.
Filter/Exclusion: process.name != "splunkd.exe" OR process.name != "logstash.exe" or use a custom field like file.path != "C:\\temp\\log_*.tmp"
Scenario: Antivirus Quarantine File
Description: A file moved to antivirus quarantine by a legitimate security tool (e.g., McAfee, Bitdefender) matches the IOC due to false positive detection.
Filter/Exclusion: file.quarantined == true or use a custom field like file.type != "quarantine"
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads a binary artifact that matches the IOC due to similar naming.
Filter/Exclusion: process.name != "jenkins.exe" OR process.name != "github_actions.exe" or use a custom field like `