The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | ee88-life1.com | botnet_cc | 2026-05-26 | 75% |
| ip:port | 54[.]254[.]92[.]42:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 54[.]179[.]244[.]120:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 13[.]228[.]173[.]160:443 | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["13.228.173.160", "54.254.92.42", "54.179.244.120"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.228.173.160", "54.254.92.42", "54.179.244.120"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["ee88-life1.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a script
Description: A system administrator schedules a script using nanocore as part of a custom monitoring tool.
Filter/Exclusion: Exclude processes where the command line includes nanocore and the parent process is a known scheduling tool (e.g., cron, at, or schtasks).
Scenario: Admin task using nanocore for log analysis
Description: A security analyst uses a custom script named nanocore to parse and analyze system logs.
Filter/Exclusion: Exclude processes where the user is a high-privileged admin and the command line includes log analysis tools (e.g., grep, awk, or sed).
Scenario: Legitimate software package named nanocore
Description: A company uses a legitimate software package named nanocore for internal data processing.
Filter/Exclusion: Exclude processes where the file path contains known internal software directories (e.g., /opt/enterprise/nanocore/).
Scenario: False positive from a third-party tool with similar name
Description: A third-party tool named nanocore is used for network monitoring and is falsely flagged by the detection rule.
Filter/Exclusion: Exclude processes where the file path or command line includes the vendor name or product identifier (e.g., thirdparty/nanocore).
Scenario: Legitimate use of nanocore in a DevOps pipeline
Description: A CI/CD pipeline uses a tool named nanocore to automate testing and deployment.
Filter/Exclusion: Exclude processes where the parent process is a known CI/CD tool (e.g., jenkins, `git