The detection rule identifies potential NetWire RC malware activity by monitoring known IOCs associated with this advanced threat, which could indicate initial compromise or command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks before they escalate to data exfiltration or system persistence.
IOC Summary
Malware Family: NetWire RC Total IOCs: 42 IOC Types: sha256_hash, md5_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | aadc96fe85cb6f7089b51457c2bd30ff443262ccd53fbb3ca4529289c70a595f | payload | 2026-06-20 | 95% |
| sha1_hash | a77cb0942631742512c5a015c580ad0c6a6e2afc | payload | 2026-06-20 | 95% |
| md5_hash | f69859707432442f70c49c2f0678f675 | payload | 2026-06-20 | 95% |
| sha256_hash | 3c4e06fe06b26cb70c0dabc743b728db50c87151606c421cb809e19b29876fbe | payload | 2026-06-20 | 95% |
| sha1_hash | fcea5aa80c9154c30a2ecf73de6d93c1d3a2436c | payload | 2026-06-20 | 95% |
| md5_hash | dc993e02dd8b72b4c1d2d31e13811746 | payload | 2026-06-20 | 95% |
| sha256_hash | da6dec4baeadb44b654d21d14c27530851ed1c57e71d50c39c16ff3fb730af86 | payload | 2026-06-20 | 95% |
| sha1_hash | 05b88c149fbce94d91166c7eb92c861f0d269915 | payload | 2026-06-20 | 95% |
| md5_hash | 4f19d659d8a775b1a1f77d5263113f23 | payload | 2026-06-20 | 95% |
| sha256_hash | e35d943f539f6d61e0d9e5d39f5cc78180accb01a7a42fe7287b2000dadfaf4a | payload | 2026-06-20 | 95% |
| sha1_hash | a0bc24435ea17b686873950175f23cdc31c81df5 | payload | 2026-06-20 | 95% |
| md5_hash | 8f45724779f470a3697b39fa6a6be4db | payload | 2026-06-20 | 95% |
| sha256_hash | 2f14862545773c034e41f1ece62bc0618cb1396eacfd2bbe2aec9c958689e002 | payload | 2026-06-20 | 95% |
| sha1_hash | d48ec01d6c8143a571fae4bbcabb9969fbfa1c84 | payload | 2026-06-20 | 95% |
| md5_hash | 2ce7e3f516c80084cda7b9a35809e90b | payload | 2026-06-20 | 95% |
| sha1_hash | dcb74d6c2fe8a0cf6906bab57e48b2cd18b2cecc | payload | 2026-06-20 | 95% |
| md5_hash | 30a9ecc59bc94186d32978e4a9f5bb0d | payload | 2026-06-20 | 95% |
| sha256_hash | 2fe27cfc680a6fb118a023caa55bfa39a55d4aecf9e540f65b531874066fec16 | payload | 2026-06-20 | 95% |
| sha256_hash | 9c48fc643b569e7b37d851c8e3c3a19d1469427a99d405b7f9fdefaa0b40f9b4 | payload | 2026-06-20 | 95% |
| sha1_hash | 9e7c5644cb14f71db5a5ec9820594ee55e4eb949 | payload | 2026-06-20 | 95% |
| md5_hash | f97369c65ce71afac2ebab1ae5c96e16 | payload | 2026-06-20 | 95% |
| sha1_hash | 9604fdffe5573bca0dc7e224867e90ffdc0c491e | payload | 2026-06-20 | 95% |
| md5_hash | db5f9352503f9cd7f1c572d03a64f32d | payload | 2026-06-20 | 95% |
| sha256_hash | 691c74f56d546998e51af78a4a55a0b13744b3d4a882b0247da05b59e1e1d6c6 | payload | 2026-06-20 | 95% |
| md5_hash | 016b642c77e8ee87b4faf0b0e507e15d | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - NetWire RC
let malicious_hashes = dynamic(["aadc96fe85cb6f7089b51457c2bd30ff443262ccd53fbb3ca4529289c70a595f", "a77cb0942631742512c5a015c580ad0c6a6e2afc", "f69859707432442f70c49c2f0678f675", "3c4e06fe06b26cb70c0dabc743b728db50c87151606c421cb809e19b29876fbe", "fcea5aa80c9154c30a2ecf73de6d93c1d3a2436c", "dc993e02dd8b72b4c1d2d31e13811746", "da6dec4baeadb44b654d21d14c27530851ed1c57e71d50c39c16ff3fb730af86", "05b88c149fbce94d91166c7eb92c861f0d269915", "4f19d659d8a775b1a1f77d5263113f23", "e35d943f539f6d61e0d9e5d39f5cc78180accb01a7a42fe7287b2000dadfaf4a", "a0bc24435ea17b686873950175f23cdc31c81df5", "8f45724779f470a3697b39fa6a6be4db", "2f14862545773c034e41f1ece62bc0618cb1396eacfd2bbe2aec9c958689e002", "d48ec01d6c8143a571fae4bbcabb9969fbfa1c84", "2ce7e3f516c80084cda7b9a35809e90b", "dcb74d6c2fe8a0cf6906bab57e48b2cd18b2cecc", "30a9ecc59bc94186d32978e4a9f5bb0d", "2fe27cfc680a6fb118a023caa55bfa39a55d4aecf9e540f65b531874066fec16", "9c48fc643b569e7b37d851c8e3c3a19d1469427a99d405b7f9fdefaa0b40f9b4", "9e7c5644cb14f71db5a5ec9820594ee55e4eb949", "f97369c65ce71afac2ebab1ae5c96e16", "9604fdffe5573bca0dc7e224867e90ffdc0c491e", "db5f9352503f9cd7f1c572d03a64f32d", "691c74f56d546998e51af78a4a55a0b13744b3d4a882b0247da05b59e1e1d6c6", "016b642c77e8ee87b4faf0b0e507e15d", "ed32f554a6e15f3d3112e9b07f21e8fa", "e681fb538d6b064f2bb81ffc552784b264d3888eb18df2ae50fd133b35feb95a", "dbf792049783f13098d6fc6cf14eeb80a1be0caf", "b4e61dcfcf46bbd01ee140b355d738c8", "6bc5bbef79cd96c26cee4702a22eec2b7d49adc7c67b0a76efcc852df2252214", "81c89ddcb7ff90acd948aceaab9aa358fa9674ca", "b274c8c20aa752171b716382707b85f3", "2ee10a4e204a3adbf2102913c95c3cad56199bd75e1c6e194f239a7cf4837e36", "864b9623279497e028ba193b2f52233b1cb6be53", "e176972714a4fd0fe9b299ae8598487c92d9da508de42d042d1ddccb8548a3b5", "d8c611e7d43a0d746530580f3d87d71aebbc446a", "31a28a1e13d0f9cb638cd445f2acb559", "064df4beb9b4ca437a317b6744dc89f985aa37ed", "69952dfc4e13803c1ded01e97e859178", "1de74088c8dc5abbb6f5c8d708d0fa4c396f5474e27eb56a8c5e961464b89c3e", "b9b32ae4989254713d181e658f1fadf6725611f6", "5d08aed3131bd6ea086a72aca7084f54ad16cc23f05ed8eded1006cece746270"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using NetWire RC tools
Description: A system administrator is performing a scheduled update using the NetWire RC tool for network configuration.
Filter/Exclusion: Exclude processes initiated by the system update scheduler (e.g., schtasks.exe or task scheduler job names containing “update” or “patch”).
Scenario: Scheduled backup job using NetWire RC for network data
Description: A backup job is configured to use NetWire RC to archive network configuration data.
Filter/Exclusion: Exclude processes associated with backup services (e.g., vss32.exe, wbadmin.exe, or job names containing “backup” or “archive”).
Scenario: Admin task to monitor network traffic with NetWire RC
Description: A network administrator is using NetWire RC to monitor and analyze network traffic for troubleshooting purposes.
Filter/Exclusion: Exclude processes initiated from the administrator’s command line or PowerShell session (e.g., cmd.exe or powershell.exe with user Administrator or NetworkAdmin).
Scenario: NetWire RC used for internal network discovery
Description: A security team is using NetWire RC to perform internal network discovery and mapping for security assessments.
Filter/Exclusion: Exclude processes initiated from security tools like Nmap, Wireshark, or Metasploit, or with user accounts marked as “security” or “audit”.
Scenario: NetWire RC used for legitimate remote management
Description: IT staff is using NetWire RC to remotely manage network devices via a secure administrative console.
Filter/Exclusion: Exclude processes originating from known remote management tools (e.g., Remote Desktop Services, TeamViewer, or LogMeIn) or with IP addresses from the internal network.