The detection identifies potential Quasar RAT activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Quasar RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 87[.]106[.]210[.]67:4444 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 5[.]231[.]63[.]14:2000 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["5.231.63.14", "87.106.210.67"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.231.63.14", "87.106.210.67"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software package that coincidentally matches the hash or domain of a Quasar RAT IOC.
Filter/Exclusion: Exclude packages installed via Chocolatey by checking the Process field for choco or chocolatey in the command line.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that connects to a remote server to collect logs, which matches the domain or IP IOC associated with Quasar RAT.
Filter/Exclusion: Exclude connections to known log collection servers (e.g., logserver.example.com) by checking the DestinationDomain or DestinationIP field against a whitelist.
Scenario: Admin Task for Patch Management
Description: An admin runs a patch management tool that connects to a remote server for updates, which is flagged due to matching an IOC from Quasar RAT.
Filter/Exclusion: Exclude connections made by known patch management tools (e.g., Microsoft Update, WSUS) by checking the Process field or User field for admin accounts.
Scenario: Internal Monitoring Tool Reporting
Description: An internal monitoring tool sends data to a central server, which is flagged due to a domain or IP IOC associated with Quasar RAT.
Filter/Exclusion: Exclude traffic from internal monitoring tools (e.g., Splunk, Sumo Logic) by checking the SourceDomain or SourceIP against a list of internal monitoring servers.
Scenario: Legitimate Cloud Sync Tool
Description: A user runs a cloud sync tool (e.g., rsync, Syncthing) that connects to a cloud storage service, which is flagged due to matching an IOC from Quasar RAT.