The ThreatFox: Quasar RAT IOCs rule detects potential remote access trojan activity associated with Quasar RAT, which allows adversaries to establish persistence and exfiltrate data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for long-term system control and data theft.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]23[.]189[.]157:14782 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 192[.]162[.]199[.]75:2222 | botnet_cc | 2026-06-08 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["154.23.189.157", "192.162.199.75"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.23.189.157", "192.162.199.75"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to perform routine system maintenance, such as log rotation or disk cleanup, which may include commands similar to those used by Quasar RAT.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with a known legitimate script path (e.g., C:\Windows\System32\Tasks\) or filter by user account (e.g., SYSTEM or LocalService).
Scenario: Admin using Cobalt Strike for red team exercise
Description: A red team or security team member is using Cobalt Strike to simulate a compromise, which may involve techniques that resemble Quasar RAT IOCs.
Filter/Exclusion: Exclude processes initiated by known red team tools (e.g., CobaltStrike.exe) or filter by user account (e.g., Administrator with a known red team context).
Scenario: Legitimate use of PsExec for remote administration
Description: An IT administrator uses PsExec to remotely execute commands on a Windows server, which may trigger alerts due to similar command-line behavior as Quasar RAT.
Filter/Exclusion: Exclude processes launched via PsExec (psexec.exe) or filter by user account (e.g., ITAdmin with a known legitimate context).
Scenario: Use of Windows Management Instrumentation (WMI) for system monitoring
Description: A monitoring tool or script uses WMI to gather system information, which may involve similar query patterns to those used by Quasar RAT.
Filter/Exclusion: Exclude processes with a known WMI query pattern or filter by the calling process (e.g., wmic.exe or wbemtest.exe).
Scenario: Legitimate use of PowerShell for configuration management
Description: A configuration management