The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or compromise critical systems.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | estaliax.io | botnet_cc | 2026-05-21 | 75% |
| domain | duraktantuni.site | botnet_cc | 2026-05-20 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["estaliax.io", "duraktantuni.site"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using nanocore.exe
Description: A backup tool named nanocore.exe is used as part of a scheduled job to archive system files.
Filter/Exclusion: Exclude processes where the full path contains C:\Program Files\BackupTool\nanocore.exe or where the process is launched by schtasks.exe.
Scenario: Admin task using nanocore.exe for network diagnostics
Description: An administrator uses a custom script or tool named nanocore.exe to perform network diagnostics or port scanning.
Filter/Exclusion: Exclude processes initiated by cmd.exe or powershell.exe with command-line arguments containing netstat, nmap, or tcpdump.
Scenario: Legitimate software update process using nanocore.dll
Description: A software update package includes a file named nanocore.dll as part of a legitimate application update.
Filter/Exclusion: Exclude files where the parent process is msiexec.exe or where the file path contains C:\Windows\Temp\update_package\.
Scenario: System event log cleanup using nanocore.exe
Description: A system cleanup tool named nanocore.exe is used to clear temporary files and logs.
Filter/Exclusion: Exclude processes where the command line includes clean, delete, or clear, or where the process is launched by task scheduler with a known cleanup task name.
Scenario: Legitimate third-party tool with similar name
Description: A legitimate third-party tool with a similar name to nanocore is used in the environment, triggering the rule due to a naming overlap.
Filter/Exclusion: Exclude processes where the file name