The ThreatFox: PureRAT IOCs rule detects potential adversary activity associated with the PureRAT malware, which is known for its persistence and command-and-control capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: PureRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]225[.]135[.]24:56001 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 192[.]163[.]162[.]63:56001 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 144[.]124[.]236[.]93:56001 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 45[.]192[.]211[.]77:56001 | botnet_cc | 2026-06-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["45.225.135.24", "144.124.236.93", "192.163.162.63", "45.192.211.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.225.135.24", "144.124.236.93", "192.163.162.63", "45.192.211.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system monitoring
Description: A scheduled task runs a PowerShell script that uses powershell.exe to gather system metrics, which may match the PureRAT IOC for powershell.exe.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with known monitoring scripts (e.g., Get-EventLog, Get-Process).
Scenario: Admin using Process Explorer to debug a service
Description: An administrator uses procmon.exe (Process Monitor) to debug a service, which may trigger the PureRAT IOC for procmon.exe.
Filter/Exclusion: Exclude processes with procmon.exe where the parent process is a known administrative tool (e.g., taskmgr.exe, explorer.exe).
Scenario: Regular use of certutil.exe for certificate management
Description: A system administrator uses certutil.exe to manage certificates, which may match the PureRAT IOC for certutil.exe.
Filter/Exclusion: Exclude processes where the command line includes certificate management commands (e.g., -addstore, -viewstore).
Scenario: Legitimate use of schtasks.exe to manage scheduled tasks
Description: An administrator uses schtasks.exe to create or modify scheduled tasks, which may match the PureRAT IOC for schtasks.exe.
Filter/Exclusion: Exclude processes where the command line includes valid task management commands (e.g., /create, /delete, /query).
Scenario: Use of wmiquery.exe for system inventory
Description: A system management tool uses wmiquery.exe to gather inventory data, which may match the PureRAT IOC for `wmiquery