The ThreatFox: SectopRAT IOCs rule detects potential adversary activity associated with the SectopRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: SectopRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]27[.]5[.]12:9000 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 5[.]188[.]86[.]6:9000 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["5.188.86.6", "2.27.5.12"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.188.86.6", "2.27.5.12"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate software update.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path contains update or patch.
Scenario: A scheduled job runs Task Scheduler to execute a legitimate backup script that uses PsExec to run a remote command.
Filter/Exclusion: Exclude processes initiated by schtasks.exe and where the command line includes psexec with a known backup script path.
Scenario: A security tool like OSSEC or Tripwire performs a system integrity check and generates a false positive due to a known benign file.
Filter/Exclusion: Exclude files with known hashes from the security tool’s whitelist or files located in the system’s integrity monitoring directory.
Scenario: A developer uses Wireshark to analyze network traffic and captures a packet that matches a SectopRAT IOC due to a similar protocol signature.
Filter/Exclusion: Exclude network flows where the source or destination IP is associated with a known internal development or monitoring tool.
Scenario: A legitimate Windows Service (e.g., Windows Defender or Windows Update) is using a file that matches a SectopRAT IOC due to a shared library or dependency.
Filter/Exclusion: Exclude files located in system directories like C:\Windows\System32 or signed by Microsoft or known trusted vendors.