The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over victim systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 12 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | node54group.com | botnet_cc | 2026-06-20 | 100% |
| domain | node66group.pro | botnet_cc | 2026-06-20 | 100% |
| url | hxxp://google2oauth.com/google.txt | payload_delivery | 2026-06-20 | 100% |
| domain | google2oauth.com | payload_delivery | 2026-06-20 | 100% |
| ip:port | 172[.]93[.]185[.]254:80 | payload_delivery | 2026-06-20 | 100% |
| url | hxxps://beroniw.com/hwkOP5 | payload_delivery | 2026-06-19 | 100% |
| url | hxxp://91[.]92[.]34[.]228/test22.txt | payload_delivery | 2026-06-19 | 100% |
| domain | golviewcheckus.com | payload_delivery | 2026-06-19 | 100% |
| domain | tiqwtkmma.com | botnet_cc | 2026-06-19 | 100% |
| domain | zbxcgtqt.com | botnet_cc | 2026-06-19 | 100% |
| domain | beroniw.com | payload_delivery | 2026-06-19 | 100% |
| ip:port | 91[.]92[.]34[.]228:80 | payload_delivery | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["91.92.34.228", "172.93.185.254"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.34.228", "172.93.185.254"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["node54group.com", "node66group.pro", "google2oauth.com", "golviewcheckus.com", "tiqwtkmma.com", "zbxcgtqt.com", "beroniw.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - NetSupportManager RAT
let malicious_urls = dynamic(["http://google2oauth.com/google.txt", "https://beroniw.com/hwkOP5", "http://91.92.34.228/test22.txt"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for NetSupportManager remote support tool
Filter/Exclusion: process.name != "NetSupportManager.exe" OR process.parent.name == "TaskScheduler.exe"
Scenario: Admin using NetSupportManager for remote desktop support
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.parent.name == "explorer.exe" OR process.parent.name == "RemoteDesktop.exe"
Scenario: System update or patching process using a tool with similar IOCs
Filter/Exclusion: file.hash in ("known-good-hash-for-update.exe") OR process.name == "WindowsUpdate.exe"
Scenario: False positive from a third-party tool that shares similar network IOCs
Filter/Exclusion: process.name != "ThirdPartyTool.exe" OR network.destination != "malicious-domain.com"
Scenario: Legitimate network monitoring tool using NetSupportManager API
Filter/Exclusion: process.name == "NetworkMonitor.exe" AND network.destination == "internal-monitoring-server.com"