The ThreatFox: EtherRAT IOCs rule detects potential command and control communication associated with the EtherRAT malware, which is known for exfiltrating sensitive data and maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data breaches or operational disruption.
IOC Summary
Malware Family: EtherRAT Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | rubysen.com | botnet_cc | 2026-05-19 | 100% |
| domain | ager-stp.org | botnet_cc | 2026-05-19 | 100% |
| domain | brand-physics-aerial-companion.trycloudflare.com | botnet_cc | 2026-05-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - EtherRAT
let malicious_domains = dynamic(["rubysen.com", "ager-stp.org", "brand-physics-aerial-companion.trycloudflare.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate script paths (e.g., C:\Windows\System32\sched.exe or scripts in C:\Windows\System32\Tasks)
Scenario: System update or patching using msiexec.exe
Filter/Exclusion: Exclude processes where msiexec.exe is used with known Microsoft update package identifiers (e.g., MSI{...} or WindowsUpdate)
Scenario: Admin task using taskmgr.exe to configure system services
Filter/Exclusion: Exclude processes initiated by taskmgr.exe with known legitimate service names (e.g., wuauserv, TrustedInstaller, or BITS)
Scenario: Network discovery using nmap.exe for internal network mapping
Filter/Exclusion: Exclude processes where nmap.exe is used with internal IP ranges (e.g., 192.168.0.0/24 or 10.0.0.0/8) and known internal hosts
Scenario: Log analysis using logparser.exe with enterprise log files
Filter/Exclusion: Exclude processes where logparser.exe is used with known enterprise log paths (e.g., C:\Windows\System32\LogFiles or C:\ProgramData\Microsoft\Windows\ ) and valid query syntax