The ThreatFox: PureRAT IOCs rule detects potential remote access trojan activity associated with data exfiltration and command execution by adversaries leveraging known indicators of compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: PureRAT Total IOCs: 9 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | dev-tokyotechie.com | payload_delivery | 2026-05-20 | 100% |
| domain | readadobe-document.click | payload_delivery | 2026-05-20 | 100% |
| domain | documents-abacus.click | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://dev-tokyotechie.com/de-ch/ | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://readadobe-document.click/support/ | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://documents-abacus.click/up/ | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://dev-tokyotechie.com/notification/ | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://dev-tokyotechie.com/de/ | payload_delivery | 2026-05-20 | 100% |
| url | hxxps://dev-tokyotechie.com/ch/ | payload_delivery | 2026-05-20 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - PureRAT
let malicious_domains = dynamic(["dev-tokyotechie.com", "readadobe-document.click", "documents-abacus.click"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - PureRAT
let malicious_urls = dynamic(["https://dev-tokyotechie.com/de-ch/", "https://readadobe-document.click/support/", "https://documents-abacus.click/up/", "https://dev-tokyotechie.com/notification/", "https://dev-tokyotechie.com/de/", "https://dev-tokyotechie.com/ch/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may trigger the rule due to command-line arguments resembling malicious activity.
Filter/Exclusion: Check for the presence of rsync in the command line and ensure the process is initiated by a known backup service or user (e.g., backup_user).
Scenario: Admin using curl to fetch a legitimate API response
Description: An administrator may use curl to interact with a company’s internal API, which could be flagged due to the presence of suspicious URLs or command structures.
Filter/Exclusion: Filter by the source IP of the internal API server and check for known internal domains in the URL.
Scenario: System update using yum or apt with a custom repository
Description: A system update process using a custom repository may trigger the rule if the repository URL or package name matches known malicious patterns.
Filter/Exclusion: Validate the repository URL against a whitelist of approved internal or third-party repositories.
Scenario: Log analysis using grep with complex regular expressions
Description: Security analysts may use grep with complex regex patterns to search through logs, which could be mistaken for malicious command-line activity.
Filter/Exclusion: Filter by the user running the command (e.g., security_analyst) and check for the presence of log file paths in known log directories.
Scenario: Database backup using mysqldump with a remote server
Description: A database backup process using mysqldump to a remote server may trigger the rule due to the use of remote connection parameters.
Filter/Exclusion: Check for the presence of the database backup user and ensure the destination IP is a known backup server.