The ThreatFox: nccTrojan IOCs rule detects potential indicators of compromise associated with the nccTrojan malware, which is used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy backdoor activity that could lead to long-term system compromise.
IOC Summary
Malware Family: nccTrojan Total IOCs: 2 IOC Types: sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 9fd30bda0edf3b10b326703303fa15995a688d200582822ef49422ebac87b7f7 | payload | 2026-05-20 | 75% |
| sha1_hash | c8ac1b977d771c89ed7152f0daedb6a3e8b69b24 | payload | 2026-05-20 | 75% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - nccTrojan
let malicious_hashes = dynamic(["9fd30bda0edf3b10b326703303fa15995a688d200582822ef49422ebac87b7f7", "c8ac1b977d771c89ed7152f0daedb6a3e8b69b24"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A scheduled task running a legitimate script (e.g., PowerShell.exe or task scheduler job) that performs system maintenance or data processing.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with known legitimate command lines or scripts (e.g., schtasks.exe or powershell.exe -Command with whitelisted scripts).
Scenario: Admin PowerShell remoting session
Description: A system administrator is using PowerShell remoting (Invoke-Command) to manage remote servers, which may trigger the rule due to command execution.
Filter/Exclusion: Exclude processes initiated by powershell.exe with the -Command parameter and originating from known admin accounts or IP addresses used for legitimate remote management.
Scenario: Software update or patch deployment
Description: A legitimate software update or patch deployment tool (e.g., Chocolatey, WSUS, or Microsoft Update) is executing scripts or binaries that match the rule’s IOC.
Filter/Exclusion: Exclude processes associated with known update tools (e.g., choco.exe, wusa.exe, or msiexec.exe) or those running from trusted update repositories.
Scenario: Data exfiltration via legitimate cloud sync
Description: A user is syncing sensitive data (e.g., via rsync, scp, or AWS CLI) to a cloud storage service, which may be flagged due to data transfer patterns.
Filter/Exclusion: Exclude processes related to cloud sync tools (e.g., awscli, rsync, or scp) or data transfers from known corporate cloud storage accounts.
Scenario: Malicious attachment from a trusted vendor
Description: A trusted vendor sends a legitimate attachment (e.g., a PDF or Excel file