The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be remotely controlling and exfiltrating data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data loss occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 5 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | lambdauyamna.com | botnet_cc | 2026-05-20 | 100% |
| domain | mokitomaccito.com | botnet_cc | 2026-05-20 | 100% |
| domain | djkmgndkjfgndfg.com | botnet_cc | 2026-05-20 | 100% |
| ip:port | 85[.]239[.]149[.]51:443 | botnet_cc | 2026-05-20 | 75% |
| domain | lusnyak2.xyz | botnet_cc | 2026-05-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["85.239.149.51"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.239.149.51"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - NetSupportManager RAT
let malicious_domains = dynamic(["lambdauyamna.com", "mokitomaccito.com", "djkmgndkjfgndfg.com", "lusnyak2.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task is configured to run a legitimate maintenance script that coincidentally matches one of the IOCs (e.g., a script named NetSupportManager.exe in a shared folder).
Filter/Exclusion: Exclude files located in system directories like C:\Windows\System32 or those with a file path containing ScheduledTasks or TaskScheduler.
Scenario: Admin Task for Remote Support Tool
Description: An IT administrator uses a legitimate remote support tool (e.g., NetSupport School or TeamViewer) which shares a similar name with the RAT.
Filter/Exclusion: Exclude processes or files that match known legitimate remote support tools using their exact names or vendor-specific signatures.
Scenario: False Positive from Third-Party Software Update
Description: A third-party software update package (e.g., from a vendor like Kaspersky or Bitdefender) includes a file that matches one of the IOCs due to a naming collision.
Filter/Exclusion: Exclude files signed by trusted vendors or those that match known benign update packages using their digital signatures or hash values.
Scenario: Legitimate File Access by a System Service
Description: A system service (e.g., Windows Update or Task Scheduler) accesses a file that matches an IOC due to a shared file name or path.
Filter/Exclusion: Exclude files accessed by system services or processes with a high integrity level (e.g., SYSTEM or LocalSystem).
Scenario: User-Initiated File Transfer for Backup Purposes
Description: A user transfers a file (e.g., NetSupportManager.exe) from a backup drive or shared network location, which matches an IOC but is part of a legitimate backup process.