The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]82[.]208[.]175:6001 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 119[.]195[.]171[.]133:6001 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 176[.]82[.]214[.]8:6001 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 80[.]31[.]136[.]21:5405 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 209[.]222[.]212[.]22:443 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 199[.]36[.]81[.]52:5405 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 27[.]223[.]110[.]182:31443 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 187[.]156[.]127[.]232:443 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 91[.]241[.]5[.]44:5444 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 74[.]206[.]105[.]130:8526 | botnet_cc | 2026-05-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["209.222.212.22", "91.241.5.44", "176.82.208.175", "74.206.105.130", "176.82.214.8", "119.195.171.133", "199.36.81.52", "27.223.110.182", "80.31.136.21", "187.156.127.232"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.222.212.22", "91.241.5.44", "176.82.208.175", "74.206.105.130", "176.82.214.8", "119.195.171.133", "199.36.81.52", "27.223.110.182", "80.31.136.21", "187.156.127.232"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of NetSupportManager for remote IT support
Filter/Exclusion: Check for presence of known NetSupportManager binaries (e.g., netsupport.exe) and filter out traffic originating from IT helpdesk IP ranges or user accounts with “IT Support” in their username.
Scenario: Scheduled system maintenance or patching using PowerShell scripts
Filter/Exclusion: Exclude PowerShell scripts that match known maintenance scripts (e.g., Update-Script.ps1) and filter out activity during scheduled maintenance windows (e.g., 2:00 AM - 3:00 AM).
Scenario: Administrative task involving remote desktop connection (RDP) to a server
Filter/Exclusion: Filter out RDP sessions that originate from internal IP ranges and are associated with known admin accounts (e.g., admin, svc_account), and exclude traffic that matches known RDP port (3389) and protocol patterns.
Scenario: Use of a third-party remote monitoring and management (RMM) tool like Kaseya or ConnectWise
Filter/Exclusion: Exclude traffic associated with known RMM tools (e.g., kaseya.exe, connectwise.exe) and filter out connections to internal RMM management servers.
Scenario: Legitimate software deployment using a package manager like SCCM or Chocolatey
Filter/Exclusion: Exclude package installation events that match known deployment tools (e.g., setup.exe, choco.exe) and filter out activity from known deployment servers or user groups (e.g., DeploymentAdmins).