The ThreatFox: Quasar RAT IOCs rule detects potential remote access trojan activity indicative of adversaries establishing persistence and exfiltrating data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss or system compromise occurs.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | qinerdime.servehalflife.com | botnet_cc | 2026-05-22 | 75% |
| domain | qinerdime.ydns.eu | botnet_cc | 2026-05-22 | 75% |
| ip:port | 47[.]239[.]50[.]7:443 | botnet_cc | 2026-05-22 | 100% |
| domain | iotonton.io | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["47.239.50.7"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.239.50.7"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["qinerdime.servehalflife.com", "qinerdime.ydns.eu", "iotonton.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A system administrator schedules a PowerShell script using Task Scheduler to perform routine system cleanup or log rotation.
Filter/Exclusion: Exclude tasks created by the Task Scheduler service with a known legitimate script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with a script name like CleanupLogs.ps1).
Filter Example: process.parent.name == "schtasks.exe" && process.name == "powershell.exe" && process.args contains "CleanupLogs.ps1"
Scenario: Admin Using PowerShell for Configuration Management
Description: An admin uses PowerShell to configure system settings or deploy updates via a known management tool like Ansible or Chef.
Filter/Exclusion: Exclude PowerShell processes initiated by known configuration management tools (e.g., ansible-playbook, chef-client).
Filter Example: process.name == "powershell.exe" && process.args contains "ansible-playbook" || process.args contains "chef-client"
Scenario: Legitimate Use of WMI for System Monitoring
Description: A monitoring tool like SolarWinds or Microsoft System Center uses WMI to gather system performance data.
Filter/Exclusion: Exclude WMI queries initiated by known monitoring tools (e.g., C:\Program Files\SolarWinds\Orion\OrionWMIProvider.exe).
Filter Example: process.name == "wmic.exe" && process.parent.name == "OrionWMIProvider.exe"
Scenario: Scheduled Backup Using Backup Exec
Description: A backup process initiated by Veeam or Veritas Backup Exec runs a PowerShell script to back up critical data.
Filter/Exclusion: Exclude processes associated