The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or compromise critical systems.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 18[.]140[.]223[.]115:443 | botnet_cc | 2026-06-22 | 100% |
| ip:port | 3[.]0[.]88[.]138:443 | botnet_cc | 2026-06-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["3.0.88.138", "18.140.223.115"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["3.0.88.138", "18.140.223.115"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from Microsoft Update.
Filter/Exclusion: Exclude any PowerShell script execution that targets URLs matching https://download.microsoft.com or contains the string Update.
Scenario: A security tool like Microsoft Defender for Endpoint is performing a full system scan and generates network traffic to Threat Intelligence feeds such as VirusTotal or Microsoft ATP.
Filter/Exclusion: Exclude traffic to known threat intelligence endpoints like api.virustotal.com or api.microsoft.com.
Scenario: A DevOps engineer is using Ansible to deploy a configuration management task that includes a custom script with a hardcoded IP address from a private internal network (e.g., 10.0.0.1).
Filter/Exclusion: Exclude any network connections originating from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a backup job that connects to a cloud storage service like Azure Blob Storage.
Filter/Exclusion: Exclude connections to Azure storage endpoints (e.g., blob.core.windows.net) or any traffic initiated by SQL Server backup tasks.
Scenario: A system is running a Windows Task Scheduler job that executes a PowerShell script to generate a log file for auditing purposes, which includes a known benign IP used by internal monitoring tools.
Filter/Exclusion: Exclude any PowerShell script execution initiated by the Task Scheduler or any traffic