The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over victim systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 15 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | alfacoockie.com | botnet_cc | 2026-04-18 | 100% |
| domain | storiealf.com | botnet_cc | 2026-04-18 | 100% |
| domain | noviqerax.com | botnet_cc | 2026-04-18 | 100% |
| domain | klyvareno.com | botnet_cc | 2026-04-18 | 100% |
| domain | praxivono.com | botnet_cc | 2026-04-18 | 100% |
| domain | dravonixu.com | botnet_cc | 2026-04-18 | 100% |
| domain | ostlomtophamchese.com | botnet_cc | 2026-04-18 | 100% |
| domain | lomtophamchese.com | botnet_cc | 2026-04-18 | 100% |
| domain | yellowbricksj.com | botnet_cc | 2026-04-18 | 100% |
| domain | yellowbricksj.net | botnet_cc | 2026-04-18 | 100% |
| domain | kislosflfkcjdj.com | botnet_cc | 2026-04-18 | 100% |
| domain | losuinisots.com | botnet_cc | 2026-04-18 | 100% |
| url | hxxps://xrplnode.dev/xrpl.php | payload_delivery | 2026-04-18 | 100% |
| url | hxxps://xrplnode.dev/install | payload_delivery | 2026-04-18 | 100% |
| domain | xrplnode.dev | payload_delivery | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["alfacoockie.com", "storiealf.com", "noviqerax.com", "klyvareno.com", "praxivono.com", "dravonixu.com", "ostlomtophamchese.com", "lomtophamchese.com", "yellowbricksj.com", "yellowbricksj.net", "kislosflfkcjdj.com", "losuinisots.com", "xrplnode.dev"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - NetSupportManager RAT
let malicious_urls = dynamic(["https://xrplnode.dev/xrpl.php", "https://xrplnode.dev/install"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for NetSupportManager maintenance
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"net support manager maintenance"
Scenario: Admin using NetSupportManager for remote desktop support
Filter/Exclusion: process.user:"admin_user" or process.command_line:"net support manager remote desktop"
Scenario: System update or patching process using NetSupportManager
Filter/Exclusion: process.file_name:"net support manager.exe" and process.command_line:"update" or "patch"
Scenario: Legitimate file transfer using NetSupportManager for IT support
Filter/Exclusion: process.command_line:"net support manager transfer" or process.file_name:"net support manager.exe" and process.parent_process_name:"Windows Explorer"
Scenario: NetSupportManager used for software deployment across the network
Filter/Exclusion: process.command_line:"net support manager deploy" or process.parent_process_name:"Group Policy Client"