The ThreatFox: SectopRAT IOCs rule detects potential adversary activity associated with the SectopRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SectopRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]124[.]108[.]104:9000 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 151[.]59[.]83[.]132:8080 | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["89.124.108.104", "151.59.83.132"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.124.108.104", "151.59.83.132"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate scheduled task is created using schtasks.exe to run a maintenance script.
Filter/Exclusion: Check for ProcessName containing schtasks.exe and CommandLine containing /create with a known benign script path.
Scenario: System update using msiexec.exe
Description: A system update is being installed via an MSI package using msiexec.exe, which may trigger the rule due to similar command-line arguments.
Filter/Exclusion: Filter by ProcessName containing msiexec.exe and CommandLine containing /i with a known update package path.
Scenario: Admin task using taskmgr.exe
Description: An administrator is using Task Manager (taskmgr.exe) to manage running processes, which may be flagged due to process creation.
Filter/Exclusion: Filter by ProcessName containing taskmgr.exe and check for user context (e.g., User field is Administrator or Domain Admin).
Scenario: Log file parsing using logparser.exe
Description: A log analysis tool like logparser.exe is being used to parse IIS or Windows event logs, which may have similar command-line structures.
Filter/Exclusion: Filter by ProcessName containing logparser.exe and check for known log parsing command-line arguments.
Scenario: Antivirus scan using msseces.exe
Description: Microsoft Security Essentials (msseces.exe) is performing a scheduled scan, which may trigger the rule due to process creation.
Filter/Exclusion: Filter by ProcessName containing msseces.exe and check for the presence of `Microsoft Security