Threat Hunting Nighthawk RAT
IOC Nighthawk Rat
Query
let NighthawkRat = dynamic(['0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988', '9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8', '38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf', 'f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e', 'b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94']);
DeviceFileEvents
| where SHA256 in (NighthawkRat)
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLineAbout this query
Threat Hunting Nighthawk RAT
Query Information
Description
IOC Source: https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar Publish Date: 22 November 2022
Defender XDR
Sentinel
let NighthawkRat = dynamic(['0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988', '9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8', '38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf', 'f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e', 'b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94']);
DeviceFileEvents
| where SHA256 in (NighthawkRat)
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
Explanation
This query is designed for threat hunting, specifically targeting the Nighthawk Remote Access Trojan (RAT). It uses a list of known malicious file hashes (SHA256) associated with Nighthawk RAT to search through device file events. The query is written for two different platforms: Defender XDR and Sentinel.
Here's a simple breakdown of what the query does:
-
Define Known Threats: It starts by defining a list of SHA256 hashes that are known to be associated with the Nighthawk RAT. These hashes are unique identifiers for specific malicious files.
-
Search for Matches: The query searches through device file events to find any files that match these known malicious hashes.
-
Extract Relevant Information: For any matches found, the query extracts and displays key details such as:
- The timestamp of the event.
- The name of the device where the event occurred.
- The name of the file involved.
- The folder path where the file is located.
- The command line of the process that initiated the file event.
The main difference between the two queries is the field name for the timestamp: "Timestamp" in Defender XDR and "TimeGenerated" in Sentinel. This query helps security analysts identify and investigate potential infections by the Nighthawk RAT on their network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators