The ThreatFox: RedTail IOCs rule detects potential adversary activity linked to the RedTail threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate advanced persistent threat (APT) activity early, reducing the risk of data exfiltration and lateral movement.
IOC Summary
Malware Family: RedTail Total IOCs: 8 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]148[.]10[.]144:21370 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 45[.]148[.]10[.]112:21370 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 45[.]148[.]10[.]208:21370 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 45[.]148[.]10[.]145:21370 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 45[.]148[.]10[.]113:21370 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 45[.]148[.]10[.]68:21370 | botnet_cc | 2026-05-17 | 100% |
| domain | proxies.internetshadow.link | botnet_cc | 2026-05-17 | 100% |
| domain | proxies.internetshadow.org | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RedTail
let malicious_ips = dynamic(["45.148.10.208", "45.148.10.145", "45.148.10.112", "45.148.10.113", "45.148.10.68", "45.148.10.144"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.148.10.208", "45.148.10.145", "45.148.10.112", "45.148.10.113", "45.148.10.68", "45.148.10.144"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - RedTail
let malicious_domains = dynamic(["proxies.internetshadow.link", "proxies.internetshadow.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the Veeam service account or with the command line argument --backup or --schedule.
Scenario: Administrative task of updating Microsoft Endpoint Protection (EPP) definitions
Filter/Exclusion: Exclude processes with the parent process being msmpeng.exe or with the command line containing update.exe or mpengine.exe.
Scenario: Legitimate use of PowerShell for log management via LogParser
Filter/Exclusion: Exclude processes with the executable path containing LogParser.exe or with the command line including logman or eventtracing.
Scenario: Routine execution of Windows Task Scheduler jobs for system maintenance
Filter/Exclusion: Exclude processes with the parent process being schtasks.exe or with the command line containing schtasks /run or Task Scheduler in the process name.
Scenario: Use of Sysmon (Syslog Monitoring) for security monitoring
Filter/Exclusion: Exclude processes with the executable path containing sysmon64.exe or with the command line including sysmon or Sysmon in the process name.