The detection identifies potential Nanocore RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging Nanocore RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | marden.com.co | botnet_cc | 2026-05-29 | 75% |
| domain | cash-win.nl | botnet_cc | 2026-05-29 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["marden.com.co", "cash-win.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe
Description: A scheduled task runs a legitimate tool named nanocore.exe as part of a backup or maintenance process.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\nanocore.exe or where the parent process is schtasks.exe.
Scenario: Admin using nanocore.exe for network testing
Description: A system administrator uses a tool named nanocore.exe (not related to RAT) for network diagnostics or packet analysis.
Filter/Exclusion: Exclude processes where the command line includes --test or --diag flags, or where the user is a domain admin with elevated privileges.
Scenario: Legitimate software installation with nanocore.exe
Description: A legitimate software package (e.g., NanoCore Backup Tool) includes an executable named nanocore.exe during installation.
Filter/Exclusion: Exclude processes where the process name matches nanocore.exe and the file path contains C:\Program Files\NanoCore\.
Scenario: PowerShell script invoking nanocore.exe for automation
Description: A PowerShell script (e.g., Invoke-NanoCore.ps1) is used to automate a legitimate task and calls nanocore.exe.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path contains C:\Scripts\NanoCore\.
Scenario: False positive from a third-party tool with similar name
Description: A third-party tool (e.g., NanoCore Monitor) has an executable with a similar name to the RAT, triggering the rule.
Filter/Exclusion: Exclude processes where the file hash