The ThreatFox: SectopRAT IOCs rule detects potential adversary activity associated with the SectopRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SectopRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 151[.]59[.]141[.]196:8080 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 217[.]60[.]98[.]113:9000 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 146[.]103[.]115[.]182:9000 | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["146.103.115.182", "217.60.98.113", "151.59.141.196"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["146.103.115.182", "217.60.98.113", "151.59.141.196"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to perform system updates or log cleanup, which may inadvertently match the SectopRAT IOC pattern.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known legitimate command line, e.g., powershell.exe -Command "Get-EventLog -LogName System".
Scenario: Admin using Process Explorer to inspect memory dumps
Description: A system administrator uses Process Explorer to analyze memory dumps for troubleshooting, which may include strings matching SectopRAT IOCs.
Filter/Exclusion: Exclude processes with procexp.exe or Process Explorer.exe as the parent process, or filter by user account (e.g., Administrators group).
Scenario: Legitimate use of Wireshark for network traffic analysis
Description: A network analyst uses Wireshark to capture and analyze network traffic, which may include payloads or strings that resemble SectopRAT IOCs.
Filter/Exclusion: Exclude processes with wireshark.exe or tshark.exe as the process name, or filter by user context (e.g., Network Analyst user).
Scenario: Automated backup script using robocopy
Description: A backup script uses robocopy to copy files to a network share, and the command line or log files may include strings that match SectopRAT IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or backup.exe, or filter by command line arguments containing robocopy or backup.
Scenario: Use of Microsoft Sysinternals tools for forensic analysis
Description: A security analyst uses tools like Process Hacker or `