The ThreatFox: NjRAT IOCs rule detects potential command and control communication associated with the NjRAT malware, leveraging known indicators to identify suspicious network activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be exfiltrating data or maintaining persistence within the network.
IOC Summary
Malware Family: NjRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]131[.]46[.]14:20167 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 103[.]78[.]0[.]204:30014 | botnet_cc | 2026-05-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NjRAT
let malicious_ips = dynamic(["103.78.0.204", "45.131.46.14"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.78.0.204", "45.131.46.14"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a legitimate scheduled job that downloads a file from a known internal repository (e.g., internal-repo.example.com).
Filter/Exclusion: Exclude traffic originating from internal IP ranges or files matching internal repository URLs.
Scenario: A Windows Task Scheduler job is configured to execute a script that uses Certutil to download and install a trusted certificate from a company-issued CA.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler or files signed by internal certificate authorities.
Scenario: A Sysinternals tool like Process Explorer is being used by a security analyst to investigate a suspicious process, which may involve downloading a file from a public repository (e.g., GitHub).
Filter/Exclusion: Exclude processes running from the Sysinternals directory or files downloaded from known safe public sources.
Scenario: A Windows Update or Microsoft Intune deployment is downloading a file from Microsoft’s public servers as part of a patching process.
Filter/Exclusion: Exclude files from Microsoft’s public IP ranges or domains like download.microsoft.com.
Scenario: A DevOps pipeline (e.g., Jenkins, GitLab CI) is pulling code from a private Git repository, which may involve downloading artifacts or dependencies from external sources.
Filter/Exclusion: Exclude traffic from known DevOps tooling IPs or files matching known CI/CD artifact patterns.