The ThreatFox: SectopRAT IOCs rule detects potential adversary activity associated with the SectopRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: SectopRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 193[.]233[.]198[.]61:9000 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 89[.]105[.]213[.]149:9000 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 2[.]26[.]75[.]140:9000 | botnet_cc | 2026-05-30 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["193.233.198.61", "89.105.213.149", "2.26.75.140"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.233.198.61", "89.105.213.149", "2.26.75.140"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A scheduled task is configured to run a legitimate script or tool that matches the IOC pattern.
Filter/Exclusion: Check for schtasks.exe in the process name and ensure the command line includes known legitimate tools like PowerShell.exe or cmd.exe with benign arguments.
Scenario: Admin using certutil.exe to download a trusted certificate
Description: An administrator is using certutil.exe to download or install a trusted certificate from a known and secure source.
Filter/Exclusion: Filter out processes where certutil.exe is used with URLs pointing to trusted certificate authorities or internal enterprise servers.
Scenario: System update using msiexec.exe with a legitimate installer
Description: A system update or patch is being applied using msiexec.exe with a legitimate installer file.
Filter/Exclusion: Exclude processes where msiexec.exe is used with file paths pointing to known enterprise update servers or internal repositories.
Scenario: Log file parsing using findstr.exe with a legitimate script
Description: A script is using findstr.exe to parse log files for specific patterns, which may resemble malicious IOCs.
Filter/Exclusion: Filter out processes where findstr.exe is used with file paths pointing to log directories and command lines that include known log parsing scripts.
Scenario: Network monitoring tool using tcpview.exe or netstat.exe
Description: A network monitoring tool is using tcpview.exe or netstat.exe to inspect active connections, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Exclude processes where the executable is known network monitoring tools like `tcpview.exe