The ThreatFox: Quasar RAT IOCs rule detects potential adversary activity involving the Quasar Remote Access Trojan, which is commonly used for persistent, stealthy remote control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for long-term access and data exfiltration.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | wttppq.uk.com | botnet_cc | 2026-04-24 | 75% |
| domain | dynamo.it.com | botnet_cc | 2026-04-24 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["wttppq.uk.com", "dynamo.it.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script that includes base64 encoded commands, which may resemble Quasar RAT IOCs.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -EncodedCommand and the script is known to be part of a legitimate maintenance task (e.g., TaskScheduler or System Maintenance).
Scenario: Admin using Cobalt Strike for red team exercise
Description: A red team exercise uses Cobalt Strike, which may generate network traffic or file artifacts that match Quasar RAT IOCs.
Filter/Exclusion: Exclude processes with cobaltstrike.exe or related payloads, and filter out traffic to known red team infrastructure (e.g., 192.168.1.100 or redteam.example.com).
Scenario: Legitimate use of WinRAR for archive extraction
Description: A user extracts a .zip file using WinRAR, which may include base64 encoded data in the archive, triggering the rule.
Filter/Exclusion: Exclude processes with WinRAR.exe or rar.exe when extracting files from known trusted sources (e.g., internal shared drives or signed archives).
Scenario: System update using Chocolatey package manager
Description: A Chocolatey package installation may include base64 encoded scripts or payloads that match Quasar RAT patterns.
Filter/Exclusion: Exclude processes with choco.exe or chocolateyInstall.ps1 when running updates from trusted repositories (e.g., chocolatey.org or internal package feeds).
Scenario: Legitimate use of PowerShell for log analysis
Description: A script runs PowerShell to analyze system logs, which may include base64 encoded