The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be establishing remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging this RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 101[.]109[.]237[.]93:7443 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 95[.]85[.]246[.]53:443 | botnet_cc | 2026-05-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["95.85.246.53", "101.109.237.93"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["95.85.246.53", "101.109.237.93"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate NetSupportManager Remote Support Tool Usage
Description: IT administrators use the legitimate NetSupportManager tool for remote desktop support.
Filter/Exclusion: Exclude processes where the executable path contains C:\Program Files\NetSupport\ or where the parent process is a known IT management tool (e.g., Microsoft Remote Desktop).
Scenario: Scheduled Maintenance Job Using NetSupportManager
Description: A scheduled task runs NetSupportManager to perform routine system checks or updates.
Filter/Exclusion: Exclude processes initiated by a scheduled task with a known maintenance job name (e.g., NetSupportMaintenanceJob) or where the command line includes a maintenance-related argument.
Scenario: Admin Task to Remote Control a User’s Machine
Description: A system administrator uses NetSupportManager to remotely assist a user with a technical issue.
Filter/Exclusion: Exclude processes where the user is a domain admin or where the connection is to a machine in the IT helpdesk group (e.g., IT_Helpdesk_Users).
Scenario: NetSupportManager Used in a Training Environment
Description: The tool is used in a training lab to simulate remote support scenarios.
Filter/Exclusion: Exclude processes where the machine is part of a training VM group (e.g., Training_VM_01) or where the user is a training admin (e.g., Training_Admin).
Scenario: NetSupportManager Used for Inventory or Patch Management
Description: The tool is used to inventory endpoints or push patches to managed systems.
Filter/Exclusion: Exclude processes where the command line includes inventory or patch-related arguments (e.g., --inventory, --patch) or where the parent process is a patch management tool (e.g., Microsoft Endpoint Manager).