The detection identifies potential NetSupportManager RAT activity through suspicious network connections and file artifacts, indicating an adversary may be exfiltrating data or maintaining persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this known RAT.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 102[.]98[.]215[.]238:443 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 46[.]149[.]76[.]140:5222 | botnet_cc | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["102.98.215.238", "46.149.76.140"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["102.98.215.238", "46.149.76.140"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for NetSupportManager Updates
Description: A scheduled task runs to update the NetSupportManager tool, which is used for remote IT support in the enterprise.
Filter/Exclusion: Exclude files with hashes matching known legitimate NetSupportManager update packages or filter by file paths containing NetSupportManager in a known update directory.
Scenario: Admin Task to Deploy Remote Support Tools
Description: An administrator deploys the NetSupportManager tool to multiple endpoints for remote IT support and monitoring.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges or filter by user context (e.g., Administrator or ITSupport).
Scenario: Network Monitoring Tool Using NetSupportManager API
Description: A network monitoring tool uses the NetSupportManager API to manage remote devices and collect system metrics.
Filter/Exclusion: Exclude connections to known internal NetSupportManager servers or filter by source IP addresses associated with the internal monitoring infrastructure.
Scenario: Malware Analysis Lab Testing NetSupportManager
Description: A security team is testing the NetSupportManager tool in a sandboxed environment to analyze its behavior.
Filter/Exclusion: Exclude processes running in a sandboxed or virtualized environment (e.g., using sandbox or vm in the process name or path).
Scenario: Legacy System Maintenance with NetSupportManager
Description: An older system is being maintained using NetSupportManager for remote control and patch management.
Filter/Exclusion: Exclude activity on legacy systems or filter by device types (e.g., LegacyServer or OldWorkstation in the asset inventory).