The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators associated with their malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage RedTail attacks before they cause significant damage.
IOC Summary
Malware Family: RedTail Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 205[.]185[.]118[.]246:80 | payload_delivery | 2026-05-21 | 90% |
| ip:port | 209[.]141[.]58[.]166:80 | payload_delivery | 2026-05-21 | 75% |
| domain | kiss.a-dog.top | payload_delivery | 2026-05-21 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["209.141.58.166", "205.185.118.246"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.141.58.166", "205.185.118.246"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - RedTail
let malicious_domains = dynamic(["kiss.a-dog.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that matches the RedTail IOC pattern (e.g., C:\Windows\System32\svchost.exe or taskkill.exe).
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Admin Task: PowerShell Script Execution
Description: An administrator runs a PowerShell script that inadvertently matches the RedTail IOC (e.g., powershell.exe -Command "Get-Service").
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "Get-Service"
Scenario: Logon Session Cleanup by Task Scheduler
Description: A task scheduler job runs a cleanup script that uses taskkill.exe or logoff.exe to terminate idle sessions.
Filter/Exclusion: process.command_line contains "taskkill /F /PID" or process.command_line contains "logoff.exe"
Scenario: Antivirus Scan Using ClamAV
Description: A legitimate antivirus scan (e.g., ClamAV) may trigger a false positive due to similar file names or paths.
Filter/Exclusion: process.parent_process_name == "clamscan.exe" or process.parent_process_name == "freshclam.exe"
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job runs a backup script that includes commands resembling RedTail IOCs (e.g., sqlcmd.exe or xp_cmdshell).
Filter/Exclusion: process.parent_process_name == "sqlagent.exe" or process.command_line contains "sqlcmd -S"