The detection identifies potential Nanocore RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging Nanocore RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | project1.in.net | botnet_cc | 2026-04-18 | 75% |
| domain | defence.in.net | botnet_cc | 2026-04-18 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["project1.in.net", "defence.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a script
Description: A scheduled job runs a script that includes the word “nanocore” as part of a naming convention or logging.
Filter/Exclusion: Exclude processes where the command line contains nanocore and the process is associated with a known legitimate scheduling tool (e.g., cron, task scheduler, systemd).
Scenario: Admin task using nanocore in a log file name
Description: An administrator creates a log file named nanocore.log for debugging or auditing purposes.
Filter/Exclusion: Exclude files or processes where the filename contains nanocore and the file path is within a known log directory (e.g., /var/log/, C:\Windows\System32\LogFiles\).
Scenario: Use of nanocore in a legitimate network monitoring tool
Description: A network monitoring tool (e.g., Wireshark, tcpdump) is configured with a filter named nanocore for packet analysis.
Filter/Exclusion: Exclude processes where the command line includes nanocore and the process is associated with a known network analysis tool (e.g., tcpdump, Wireshark).
Scenario: Legitimate use of nanocore in a development environment
Description: A developer uses the term nanocore in a codebase or test environment as part of a project name or module.
Filter/Exclusion: Exclude processes where the command line or file path contains nanocore and the process is associated with a development tool (e.g., git, IDE, build scripts).
**Scenario: Use of nanocore in a system cleanup script