The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 7 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://beroniw.com/hwkOP5 | payload_delivery | 2026-06-19 | 100% |
| url | hxxp://91[.]92[.]34[.]228/test22.txt | payload_delivery | 2026-06-19 | 100% |
| domain | golviewcheckus.com | payload_delivery | 2026-06-19 | 100% |
| domain | tiqwtkmma.com | botnet_cc | 2026-06-19 | 100% |
| domain | zbxcgtqt.com | botnet_cc | 2026-06-19 | 100% |
| domain | beroniw.com | payload_delivery | 2026-06-19 | 100% |
| ip:port | 91[.]92[.]34[.]228:80 | payload_delivery | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["91.92.34.228"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.34.228"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["golviewcheckus.com", "tiqwtkmma.com", "zbxcgtqt.com", "beroniw.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - NetSupportManager RAT
let malicious_urls = dynamic(["https://beroniw.com/hwkOP5", "http://91.92.34.228/test22.txt"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate NetSupportManager Remote Support Tool Usage
Description: IT administrators use the legitimate NetSupportManager tool for remote desktop support.
Filter/Exclusion: process.name != "NetSupportManager.exe" OR process.parent.name == "explorer.exe" OR process.user == "IT_Admin"
Scenario: Scheduled Maintenance Job Using NetSupportManager
Description: A scheduled task runs NetSupportManager to perform routine system checks or remote maintenance.
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.parent.name == "schtasks.exe" AND process.user == "Maintenance_User"
Scenario: Admin Task to Push Updates via NetSupportManager
Description: System administrators use NetSupportManager to push software updates to endpoint devices.
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.parent.name == "taskhost.exe" AND process.user == "Admin_User"
Scenario: Network Monitoring Tool Generating Similar IOCs
Description: A network monitoring tool (e.g., PRTG, SolarWinds) generates IOCs that match the NetSupportManager RAT signature.
Filter/Exclusion: process.name != "NetSupportManager.exe" OR process.parent.name == "SolarWinds.exe" OR process.name == "PRTG.exe"
Scenario: False Positive from Third-Party Software Integration
Description: A third-party software integration (e.g., Microsoft Endpoint Manager, SCCM) includes files or processes that resemble NetSupportManager IOCs.
Filter/Exclusion: process.name != "NetSupportManager.exe" OR process.parent.name == "Microsoft.Endpoint.Manager.exe" OR process.name == "ccmexec.exe"