The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 5 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | njq.uk.com | botnet_cc | 2026-05-05 | 75% |
| domain | sadd.io | botnet_cc | 2026-05-05 | 75% |
| ip:port | 104[.]21[.]18[.]225:443 | botnet_cc | 2026-05-05 | 100% |
| ip:port | 172[.]67[.]183[.]218:443 | botnet_cc | 2026-05-05 | 100% |
| ip:port | 76[.]13[.]208[.]153:443 | botnet_cc | 2026-05-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["76.13.208.153", "104.21.18.225", "172.67.183.218"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["76.13.208.153", "104.21.18.225", "172.67.183.218"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["njq.uk.com", "sadd.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Description: A system administrator uses a legitimate diagnostic tool named nanocore.exe as part of a scheduled maintenance task.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\nanocore.exe or where the parent process is schtasks.exe.
Scenario: Use of nanocore.exe by a legitimate security tool for analysis
Description: A security team runs nanocore.exe in a sandboxed environment to analyze a suspicious file.
Filter/Exclusion: Exclude processes where the process name is nanocore.exe and the parent process is msandbox.exe or vmtoolsd.exe.
Scenario: Administrative task involving nanocore.exe for log parsing
Description: An admin script uses nanocore.exe to parse and analyze log files for troubleshooting.
Filter/Exclusion: Exclude processes where the command line includes -parse_logs or where the user is a member of the Administrators group and the process is initiated via task scheduler.
Scenario: Legitimate software update using nanocore.exe as part of a deployment tool
Description: A deployment tool named nanocore.exe is used to push updates to endpoints.
Filter/Exclusion: Exclude processes where the command line includes --update or where the parent process is deployment_tool.exe.
Scenario: False positive from a third-party tool using nanocore in its name
Description: A third-party tool (e.g., nanocore-monitor.exe) is used for network monitoring and includes “nanocore” in its name.
Filter/Exclusion: Exclude processes where the full