The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 9 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]202[.]233[.]25:4888 | botnet_cc | 2026-05-27 | 99% |
| ip:port | 209[.]99[.]186[.]75:443 | botnet_cc | 2026-05-27 | 99% |
| ip:port | 5[.]252[.]177[.]201:443 | botnet_cc | 2026-05-27 | 99% |
| domain | feersona.net | botnet_cc | 2026-05-27 | 99% |
| domain | bryonsad.net | botnet_cc | 2026-05-27 | 99% |
| ip:port | 193[.]202[.]84[.]64:581 | botnet_cc | 2026-05-27 | 99% |
| ip:port | 194[.]180[.]191[.]223:443 | botnet_cc | 2026-05-27 | 99% |
| ip:port | 65[.]109[.]104[.]71:443 | botnet_cc | 2026-05-27 | 99% |
| ip:port | 94[.]23[.]185[.]83:9606 | botnet_cc | 2026-05-27 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["65.109.104.71", "5.252.177.201", "91.202.233.25", "94.23.185.83", "209.99.186.75", "194.180.191.223", "193.202.84.64"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["65.109.104.71", "5.252.177.201", "91.202.233.25", "94.23.185.83", "209.99.186.75", "194.180.191.223", "193.202.84.64"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["feersona.net", "bryonsad.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate NetSupportManager Remote Support Tool Usage
Description: IT administrators use the NetSupportManager tool for legitimate remote desktop support and system management.
Filter/Exclusion: Exclude processes where the parent process is a known IT management tool (e.g., Remote Desktop Services, Microsoft Endpoint Manager, or NetSupportManager.exe itself).
Scenario: Scheduled Maintenance Job Using NetSupportManager
Description: A scheduled job runs NetSupportManager to perform routine system checks or updates.
Filter/Exclusion: Exclude processes initiated by a known scheduled task (e.g., Task Scheduler or Taskhost.exe) with a known maintenance script name.
Scenario: Admin Task to Deploy Software via NetSupportManager
Description: System administrators use NetSupportManager to deploy software updates or patches to endpoints.
Filter/Exclusion: Exclude processes where the command line includes known deployment scripts or paths to enterprise software repositories.
Scenario: NetSupportManager Used for Remote Training or Support
Description: IT staff use NetSupportManager to conduct remote training sessions or support end-users.
Filter/Exclusion: Exclude processes where the user is a known admin or IT staff member, and the session is logged or monitored by the enterprise security team.
Scenario: NetSupportManager Used for Inventory or Asset Management
Description: The tool is used to collect hardware and software inventory data across the network.
Filter/Exclusion: Exclude processes where the command line includes known inventory collection scripts or paths to enterprise inventory systems.