The ThreatFox: NjRAT IOCs rule detects potential adversary activity associated with the NjRAT malware, which is known for its persistence, remote command execution, and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: NjRAT Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 200[.]25[.]78[.]73:1177 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 52[.]28[.]112[.]211:18928 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 35[.]158[.]159[.]254:18928 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 3[.]127[.]59[.]75:18928 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 3[.]127[.]253[.]86:18928 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 18[.]198[.]77[.]177:18928 | botnet_cc | 2026-05-13 | 100% |
| ip:port | 3[.]121[.]139[.]82:18928 | botnet_cc | 2026-05-13 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NjRAT
let malicious_ips = dynamic(["3.121.139.82", "3.127.253.86", "18.198.77.177", "52.28.112.211", "35.158.159.254", "3.127.59.75", "200.25.78.73"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["3.121.139.82", "3.127.253.86", "18.198.77.177", "52.28.112.211", "35.158.159.254", "3.127.59.75", "200.25.78.73"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using njRAT-like command-line arguments
Description: A system administrator schedules a job using a tool like PowerShell or Task Scheduler with arguments resembling those of NjRAT (e.g., --config, --output).
Filter/Exclusion: Check for presence of PowerShell.exe or Task Scheduler in the process tree, or filter by command-line arguments containing known legitimate flags.
Scenario: Admin using NinjaOne or NinjaRAT for legitimate remote management
Description: An IT admin uses a legitimate remote management tool named NinjaOne or NinjaRAT that shares similar IOCs with the malicious NjRAT.
Filter/Exclusion: Include a check for the presence of the tool’s legitimate binaries or verify the process is associated with a known admin account.
Scenario: Legitimate software update using njRAT-like filenames
Description: A software update process (e.g., Windows Update, Chocolatey, or Scoop) downloads a file with a name similar to NjRAT (e.g., njrat.exe, njrat_config.json).
Filter/Exclusion: Filter by file hashes or verify the file is part of a known update mechanism or package manager.
Scenario: False positive from NjRAT-like strings in log files
Description: A legitimate application (e.g., NinjaOne, NinjaRAT, or Ninja tools) logs strings that match the IOC patterns used in the detection rule.
Filter/Exclusion: Filter by log source or check for presence of known legitimate application names in the process or file context.
**Scenario: Legitimate use of `NjRAT