The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command and control capabilities within the network. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 6 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xoilacpro.com | botnet_cc | 2026-06-02 | 75% |
| domain | ck01.tv | botnet_cc | 2026-06-02 | 75% |
| ip:port | 157[.]66[.]13[.]164:443 | botnet_cc | 2026-06-02 | 100% |
| domain | kitlife.net | botnet_cc | 2026-06-02 | 75% |
| domain | iiabc8.com | botnet_cc | 2026-06-02 | 75% |
| domain | michaelrutter.dev | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["157.66.13.164"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["157.66.13.164"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["xoilacpro.com", "ck01.tv", "kitlife.net", "iiabc8.com", "michaelrutter.dev"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a script
Description: A system administrator schedules a script that includes the term “nanocore” as part of a naming convention or logging process.
Filter/Exclusion: Exclude processes initiated by the cron or scheduledtasks service, or filter by command-line arguments containing --log or --debug.
Scenario: Use of nanocore in a legitimate network monitoring tool
Description: A network monitoring tool (e.g., tcpdump, Wireshark, or nmap) includes the term “nanocore” in its configuration or output for logging purposes.
Filter/Exclusion: Exclude processes related to network analysis tools or filter by process names like tcpdump, nmap, or wireshark.
Scenario: Administrative task involving nanocore in a backup script
Description: A backup script or job includes the word “nanocore” as part of a filename or directory structure for version control.
Filter/Exclusion: Exclude processes initiated by backup services (e.g., Veeam, Commvault, or rsync), or filter by command-line arguments containing backup or restore.
Scenario: Use of nanocore in a legitimate system diagnostic tool
Description: A system diagnostic or performance monitoring tool (e.g., perfmon, sar, or dstat) includes the term “nanocore” in its output or logs.
Filter/Exclusion: Exclude processes associated with system monitoring tools or filter by process names like perfmon, sar, or dstat.
Scenario: Legitimate software development using nanocore in code
Description: A developer uses the term “nan