The hunt hypothesis detects potential SectopRAT malware activity through associated IOCs, indicating possible remote access and data exfiltration by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: SectopRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]124[.]108[.]104:9000 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 151[.]59[.]83[.]132:8080 | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["151.59.83.132", "89.124.108.104"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.59.83.132", "89.124.108.104"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software package that coincidentally matches the hash or domain of a SectopRAT IOC.
Filter/Exclusion: Exclude processes initiated by choco or packages signed by known trusted Chocolatey packages (e.g., chocolatey or chocolatey-core).
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that connects to a remote server to collect logs, which may use a domain or IP that matches a SectopRAT IOC.
Filter/Exclusion: Exclude connections to known log aggregation tools (e.g., Splunk, ELK Stack, or Graylog) or IP ranges associated with internal monitoring systems.
Scenario: Admin Task Using PowerShell for System Maintenance
Description: An admin uses PowerShell to perform routine system maintenance, which may involve downloading or executing a script that matches a SectopRAT IOC.
Filter/Exclusion: Exclude PowerShell scripts executed by users with administrative privileges or scripts that match known administrative tools (e.g., PowerShell, WMIC, or Task Scheduler jobs).
Scenario: Internal Monitoring Tool Using External API
Description: A monitoring tool like Datadog or New Relic connects to an external API endpoint that coincidentally matches a SectopRAT IOC.
Filter/Exclusion: Exclude traffic from known monitoring services (e.g., datadoghq.com, newrelic.com, or grafana.com) or endpoints associated with internal observability tools.
Scenario: Legitimate File Download from Trusted Repository
Description: A user downloads a file from a trusted repository (e.g., GitHub, GitLab, or Bitbucket) that has a hash