The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]238[.]15[.]96:9443 | botnet_cc | 2026-06-04 | 75% |
| domain | msedgewebview7.com | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["172.238.15.96"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.238.15.96"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["msedgewebview7.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled maintenance task using NetSupportManager
Description: A system administrator schedules a maintenance task using NetSupportManager to remotely manage endpoint systems.
Filter/Exclusion: Exclude processes initiated by the system account (NT AUTHORITY\SYSTEM) or those matching the known legitimate NetSupportManager service name (netsupportservice.exe).
Scenario: Regular software update using NetSupportManager
Description: A company uses NetSupportManager to push software updates to endpoints as part of its standard IT operations.
Filter/Exclusion: Exclude processes that occur during known update windows and are associated with the company’s internal update server or known update packages.
Scenario: Admin task to monitor remote desktop sessions
Description: An admin uses NetSupportManager to monitor active RDP sessions for troubleshooting or security audits.
Filter/Exclusion: Exclude processes that originate from the admin’s workstation and are associated with the Remote Desktop Services or mstsc.exe processes.
Scenario: Legitimate use of NetSupportManager for remote support
Description: IT support staff use NetSupportManager to provide remote assistance to end-users.
Filter/Exclusion: Exclude processes initiated from known support IP ranges or user accounts with the “IT Support” role in Active Directory.
Scenario: False positive from a third-party tool with similar IOCs
Description: A third-party security tool or endpoint protection software includes IOCs that match those of NetSupportManager RAT, leading to false positives.
Filter/Exclusion: Exclude processes that are digitally signed by the third-party vendor or match known benign tool hashes from the vendor’s database.