The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | michaelrutter.dev | botnet_cc | 2026-06-01 | 75% |
| domain | hitclub.ac | botnet_cc | 2026-06-01 | 75% |
| domain | nhyouthclimatetownhall.com | botnet_cc | 2026-06-01 | 75% |
| domain | shapekapseln.com.de | botnet_cc | 2026-06-01 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["michaelrutter.dev", "hitclub.ac", "nhyouthclimatetownhall.com", "shapekapseln.com.de"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from Microsoft Update.
Filter/Exclusion: Exclude PowerShell scripts that download from https://download.microsoft.com or use the MicrosoftUpdate task scheduler job name.
Scenario: A developer is using Git to clone a repository from GitHub that contains a legitimate build script with a file name matching a known Nanocore IOC.
Filter/Exclusion: Exclude Git operations from github.com or files with .ps1 extensions that are part of a known legitimate development workflow.
Scenario: A system is running a Windows Task Scheduler job that executes a PowerShell script to perform routine system diagnostics, which includes a file name matching a Nanocore IOC.
Filter/Exclusion: Exclude tasks scheduled by the Task Scheduler with a known legitimate name (e.g., SystemDiagnosticTool) or that run under a non-privileged user account.
Scenario: A security tool like CrowdStrike Falcon is performing a file integrity check and generates a file with a name that matches a Nanocore IOC.
Filter/Exclusion: Exclude files created by CrowdStrike Falcon or any known security tool that performs integrity checks and generates temporary files.
Scenario: A user is running a Windows PowerShell script that is part of a legitimate automation tool like Puppet or Chef, which includes a file name that matches a Nanocore IOC.
Filter/Exclusion: Exclude scripts executed by Puppet or Chef or those that are signed by a known trusted certificate or signed by the system administrator.