The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | net883.com | botnet_cc | 2026-05-23 | 75% |
| domain | algerium.io | botnet_cc | 2026-05-22 | 75% |
| ip:port | 68[.]134[.]58[.]120:54984 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["68.134.58.120"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["68.134.58.120"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["net883.com", "algerium.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe
Description: A scheduled task runs nanocore.exe as part of a legitimate system maintenance or monitoring tool.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\nanocore.exe or where the parent process is schtasks.exe.
Scenario: Admin task using nanocore.exe for log analysis
Description: An administrator uses a custom script or tool named nanocore.exe to parse system logs or perform forensic analysis.
Filter/Exclusion: Exclude processes where the command line includes -log or -parse and the user is a domain admin with elevated privileges.
Scenario: Legitimate software update using nanocore.exe
Description: A software update package includes a file named nanocore.exe as part of a legitimate application’s update mechanism.
Filter/Exclusion: Exclude processes where the file is located in a known software directory (e.g., C:\Program Files\MyApp\) and the parent process is msiexec.exe or setup.exe.
Scenario: False positive from a third-party tool with similar name
Description: A third-party security or monitoring tool includes a component named nanocore.exe that is unrelated to the RAT.
Filter/Exclusion: Exclude processes where the file is signed by a trusted vendor (e.g., Microsoft, Symantec) or where the process name matches a known legitimate tool.
Scenario: Legitimate network monitoring tool using nanocore.exe
Description: A network monitoring tool uses nanocore.exe to capture and analyze network traffic for diagnostic purposes.
Filter/Exclusion: Exclude processes where the command line includes `-monitor