The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 22 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]67[.]167[.]226:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]13[.]13:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]168[.]232:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]206[.]4:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]27[.]46:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]61[.]46:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]59[.]56:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]78[.]230:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]215[.]32:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]137[.]245:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]197[.]199:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]60[.]146:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]16[.]219:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]216[.]63:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]93[.]223:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]216[.]79:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]170[.]222:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]28[.]144:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]148[.]147:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]29[.]72:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 104[.]21[.]95[.]171:443 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 172[.]67[.]146[.]58:443 | botnet_cc | 2026-05-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Nanocore RAT
let malicious_ips = dynamic(["172.67.197.199", "172.67.170.222", "104.21.28.144", "104.21.95.171", "104.21.29.72", "104.21.16.219", "172.67.148.147", "104.21.60.146", "104.21.59.56", "104.21.13.13", "172.67.168.232", "172.67.146.58", "104.21.27.46", "172.67.206.4", "172.67.215.32", "104.21.93.223", "172.67.137.245", "104.21.78.230", "172.67.216.63", "104.21.61.46", "172.67.216.79", "172.67.167.226"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.67.197.199", "172.67.170.222", "104.21.28.144", "104.21.95.171", "104.21.29.72", "104.21.16.219", "172.67.148.147", "104.21.60.146", "104.21.59.56", "104.21.13.13", "172.67.168.232", "172.67.146.58", "104.21.27.46", "172.67.206.4", "172.67.215.32", "104.21.93.223", "172.67.137.245", "104.21.78.230", "172.67.216.63", "104.21.61.46", "172.67.216.79", "172.67.167.226"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe
Description: A scheduled task runs nanocore.exe as part of a legitimate system cleanup or maintenance tool.
Filter/Exclusion: Exclude processes where the full path contains C:\Windows\System32\ or C:\Program Files\ and the process name is nanocore.exe.
Scenario: Admin using PowerShell to manage network interfaces
Description: An administrator uses PowerShell to configure network interfaces, which may involve IOCs like netsh or ipconfig commands.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes netsh, ipconfig, or Get-NetAdapter.
Scenario: Legitimate software update using nanocore as a dependency
Description: A third-party software update package includes nanocore as a dependency for compatibility or logging purposes.
Filter/Exclusion: Exclude processes where the parent process is a known update tool (e.g., msiexec.exe, setup.exe) or where the file path includes a known vendor directory.
Scenario: System diagnostic tool using nanocore for logging
Description: A system diagnostic or monitoring tool uses nanocore for logging or data collection, which may trigger the rule.
Filter/Exclusion: Exclude processes where the parent process is a known diagnostic tool (e.g., taskmgr.exe, perfmon.exe) or where the file path includes a known monitoring directory.
Scenario: User running a legitimate script with nanocore as a module
Description: A user runs a script that imports or uses nanocore as a module for legitimate system management tasks.
Filter/Exclusion: Exclude processes where the