The hunt hypothesis detects potential Quasar RAT deployment by identifying suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for command and control.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 87[.]106[.]210[.]67:4444 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 5[.]231[.]63[.]14:2000 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["87.106.210.67", "5.231.63.14"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["87.106.210.67", "5.231.63.14"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using wget to download updates
Description: A system administrator schedules a job using wget to download updates from a trusted internal repository.
Filter/Exclusion: Exclude processes initiated by cron or systemd with known internal URLs, e.g., wget https://internal-repo.example.com/update.sh
Scenario: Security tool using PowerShell to fetch threat intelligence
Description: A security analyst runs a PowerShell script using Invoke-WebRequest to fetch threat intelligence from a trusted source like ThreatFox or VirusTotal.
Filter/Exclusion: Exclude processes with PowerShell.exe and command-line arguments containing Invoke-WebRequest or Get-Content from known trusted domains
Scenario: Admin task using curl to check for system health
Description: An admin task uses curl to check the health of a remote server or service, such as a monitoring tool.
Filter/Exclusion: Exclude processes with curl and URLs matching internal monitoring endpoints, e.g., curl https://monitoring.example.com/health
Scenario: Log collection tool using rsync to transfer logs
Description: A log aggregation tool uses rsync to transfer logs from one server to a central logging server.
Filter/Exclusion: Exclude processes involving rsync with destination IPs in the internal network or known log servers
Scenario: Software update using msiexec with a signed installer
Description: A legitimate software update is installed via msiexec from a trusted vendor, which may include network activity that matches the rule’s IOCs.
Filter/Exclusion: Exclude processes initiated by msiexec with signed installers from known vendors (e.g., Microsoft, Adobe, etc.) and verify