The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or move laterally within the network.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bokehtests.com | botnet_cc | 2026-05-28 | 75% |
| domain | 88i-mobile.com | botnet_cc | 2026-05-28 | 75% |
| domain | aboddehousing.co.uk | botnet_cc | 2026-05-28 | 75% |
| domain | coffeeandsuch.nl | botnet_cc | 2026-05-28 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["bokehtests.com", "88i-mobile.com", "aboddehousing.co.uk", "coffeeandsuch.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a script
Description: A system administrator schedules a script using nanocore as part of a custom monitoring tool.
Filter/Exclusion: Exclude processes where the command line includes nanocore and the process is owned by a system or admin user with a known legitimate script path.
Scenario: Use of nanocore in a legitimate security tool
Description: A security tool or SIEM system uses nanocore as part of its internal logging or data processing.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., splunkd, logstash, elasticsearch) and the command line includes nanocore as an argument.
Scenario: Admin task involving nanocore in a PowerShell script
Description: An administrator runs a PowerShell script that uses nanocore as part of a custom automation task.
Filter/Exclusion: Exclude processes where the command line includes nanocore and the script path is located in a known admin script directory (e.g., C:\Windows\System32\scripts).
Scenario: Legitimate software update using nanocore as a component
Description: A software update or patch process includes nanocore as part of its internal logic for configuration management.
Filter/Exclusion: Exclude processes where the command line includes nanocore and the process is initiated by a known update manager (e.g., Windows Update, Chocolatey, WSUS).
Scenario: False positive from a third-party tool using nanocore in its name
Description: A third-party tool or application uses nanocore in its name,