The ThreatFox: NjRAT IOCs rule detects potential adversary activity associated with the NjRAT malware, which is known for remote access and command-and-control capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate persistent, stealthy threats that could exfiltrate data or execute arbitrary code.
IOC Summary
Malware Family: NjRAT Total IOCs: 6 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 951351f0fb96dbbbd8379548ad1767bc | payload | 2026-06-17 | 95% |
| sha256_hash | 40c9663ae7ffad4448bef4976cc1458253420eddc8b816ea38dbe3df30795301 | payload | 2026-06-17 | 95% |
| sha1_hash | 460a1c90411d7abb2e55b9d437e457b88710a2ee | payload | 2026-06-17 | 95% |
| sha1_hash | 59d60cf70a62d3fdbafacd52f58577501509b6e1 | payload | 2026-06-17 | 95% |
| md5_hash | b04467d5385758b830565e1affd3e7a5 | payload | 2026-06-17 | 95% |
| sha256_hash | d942110faacaa112adf64b854daa1381da74a91f4f5790ca710c9e082fc98151 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - NjRAT
let malicious_hashes = dynamic(["951351f0fb96dbbbd8379548ad1767bc", "40c9663ae7ffad4448bef4976cc1458253420eddc8b816ea38dbe3df30795301", "460a1c90411d7abb2e55b9d437e457b88710a2ee", "59d60cf70a62d3fdbafacd52f58577501509b6e1", "b04467d5385758b830565e1affd3e7a5", "d942110faacaa112adf64b854daa1381da74a91f4f5790ca710c9e082fc98151"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Check for schtasks.exe with command line containing known maintenance scripts (e.g., C:\Windows\System32\svchost.exe -k NetworkService -p or C:\Windows\System32\cmd.exe /c "C:\Windows\System32\cleanmgr.exe")
Scenario: Admin using PowerShell to generate a report with Out-GridView
Filter/Exclusion: Filter for powershell.exe with -Command parameter containing Out-GridView or Export-Csv and check for known admin scripts in the user’s profile
Scenario: System update using wuauclt.exe to check for Windows updates
Filter/Exclusion: Filter for wuauclt.exe with command line containing /detectnow or /updatenow and check for presence of Windows Update service
Scenario: Log management tool like Splunk or ELK using logrotate or rsyslog
Filter/Exclusion: Filter for logrotate.exe or rsyslog with known log rotation commands and check for presence of log management tools in the system
Scenario: Antivirus or endpoint protection tool using msmpeng.exe or mpcmdrun.exe for scan
Filter/Exclusion: Filter for mpcmdrun.exe with command line containing /Scan or /Schedule and check for presence of known antivirus products in the system