The detection identifies potential Nanocore RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging Nanocore RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 98[.]98[.]144[.]133:443 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 98[.]98[.]144[.]134:443 | botnet_cc | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["98.98.144.133", "98.98.144.134"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["98.98.144.133", "98.98.144.134"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using wbadmin
Description: A legitimate scheduled backup task using wbadmin may trigger the rule if the backup process involves IOCs associated with Nanocore RAT.
Filter/Exclusion: Exclude processes initiated by wbadmin or tasks scheduled via the Task Scheduler with the wbadmin executable.
Scenario: Admin Task Using PowerShell for Log Collection
Description: An admin might use PowerShell scripts to collect logs or monitor system activity, which could inadvertently match the IOCs of Nanocore RAT.
Filter/Exclusion: Exclude PowerShell scripts executed by users with the Administrators group or with the RunAs flag set.
Scenario: Legitimate Software Update Process
Description: A software update process, such as deploying patches via Microsoft Update or SCCM, may involve IOCs that resemble those of Nanocore RAT.
Filter/Exclusion: Exclude processes related to wuauclt.exe, msiexec.exe, or any known update tools, especially when executed from a trusted source like Microsoft’s update servers.
Scenario: Network Monitoring Tool Using tcpdump or Wireshark
Description: Security teams may use tcpdump or Wireshark to monitor network traffic, which could trigger the rule if the tool’s execution path or command-line arguments match the IOC pattern.
Filter/Exclusion: Exclude processes running tcpdump or Wireshark with known monitoring command-line arguments or from a user account associated with the security team.
Scenario: Antivirus or EDR Tool Performing File Scanning
Description: Antivirus or EDR tools like Microsoft Defender, CrowdStrike, or SentinelOne may scan files that include IOCs from the Nanocore RAT, leading to a false positive.
**