The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | frans-meijers.nl | botnet_cc | 2026-06-07 | 75% |
| domain | lishman.io | botnet_cc | 2026-06-07 | 75% |
| ip:port | 38[.]60[.]250[.]187:443 | botnet_cc | 2026-06-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["38.60.250.187"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.60.250.187"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["frans-meijers.nl", "lishman.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Filter/Exclusion: Check for Process.parent_process_name = "Task Scheduler" and Process.command_line LIKE '%systemdiagnostics%'
Scenario: Admin using nanocore.exe for network monitoring via Wireshark
Filter/Exclusion: Filter by Process.user = "Administrator" and Process.command_line LIKE '%wireshark%'
Scenario: Deployment of a legitimate tool named nanocore.exe by IT department
Filter/Exclusion: Check for File.sha256 = "known_legitimate_sha256_hash" or File.file_name = "nanocore-deploy.exe"
Scenario: System update using a tool with similar name to nanocore.exe
Filter/Exclusion: Filter by Process.parent_process_name = "Windows Update" and File.file_name LIKE '%update%'
Scenario: Legitimate script execution using nanocore.exe as a wrapper for PowerShell
Filter/Exclusion: Check for Process.parent_process_name = "powershell.exe" and Process.command_line LIKE '%-Command%'