The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control capabilities within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 6 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | airtellwireless.it.com | botnet_cc | 2026-04-25 | 75% |
| ip:port | 104[.]21[.]9[.]66:443 | botnet_cc | 2026-04-25 | 100% |
| ip:port | 172[.]67[.]159[.]51:443 | botnet_cc | 2026-04-25 | 100% |
| domain | theponzu.com | botnet_cc | 2026-04-25 | 75% |
| domain | sc88884.com | botnet_cc | 2026-04-25 | 75% |
| ip:port | 172[.]67[.]208[.]215:443 | botnet_cc | 2026-04-25 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["172.67.208.215", "172.67.159.51", "104.21.9.66"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.67.208.215", "172.67.159.51", "104.21.9.66"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["airtellwireless.it.com", "theponzu.com", "sc88884.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using ntbackup.exe
Description: A scheduled task runs ntbackup.exe to perform system backups, which may trigger the rule due to the presence of ntbackup.exe in the IOC list.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\ntbackup.exe or where the command line includes /backup.
Scenario: Admin using PowerShell to manage scheduled tasks
Description: An administrator uses PowerShell to create or modify scheduled tasks, which may involve the use of schtasks.exe or powershell.exe, both of which could be flagged by the rule.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe or where the command line includes -Command with legitimate task management commands.
Scenario: Legitimate use of certutil.exe for certificate management
Description: System administrators may use certutil.exe to manage certificates, which could be mistakenly flagged as part of the Nanocore RAT IOC list.
Filter/Exclusion: Exclude processes where the command line includes -addstore or -view and the full path is C:\Windows\System32\certutil.exe.
Scenario: Antivirus or endpoint protection tool using msiexec.exe
Description: Some security tools use msiexec.exe to install or update components, which may be included in the IOC list due to its common usage.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Microsoft Defender Antivirus or McAfee Endpoint Security) or where the command line includes /i with a known legitimate MSI file.
Scenario: Legitimate use of regsvr32.exe for COM registration