The ThreatFox: SectopRAT IOCs rule detects potential SectopRAT malware activity by identifying known malicious indicators associated with this advanced persistent threat. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: SectopRAT Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 87[.]251[.]85[.]247:9000 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 188[.]137[.]178[.]24:9000 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 2[.]26[.]75[.]142:9000 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 5[.]181[.]2[.]113:9000 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 89[.]124[.]111[.]28:9000 | botnet_cc | 2026-05-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["2.26.75.142", "188.137.178.24", "5.181.2.113", "89.124.111.28", "87.251.85.247"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.26.75.142", "188.137.178.24", "5.181.2.113", "89.124.111.28", "87.251.85.247"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate software package that happens to have a filename matching a SectopRAT IOC.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log File Rotation
Description: A scheduled task runs a script that moves or rotates log files, and the script’s IOCs (e.g., file names or paths) match those of SectopRAT.
Filter/Exclusion: process.name != "schtasks.exe" or process.command_line contains "logrotate"
Scenario: Admin Task for Database Backup
Description: A database backup script executed by an admin account uses a temporary file or directory that matches a SectopRAT IOC.
Filter/Exclusion: process.name != "sqlbackup.exe" or process.user contains "admin"
Scenario: Legitimate File Access by Security Tools
Description: A security tool (e.g., CrowdStrike, CrowdStrike Falcon) accesses a file that is falsely flagged as a SectopRAT IOC due to a hash collision or false positive.
Filter/Exclusion: process.name contains "crowdstrike" or process.name contains "falcon"
Scenario: User-Initiated File Download for Research
Description: A user downloads a file (e.g., a malware sample or research artifact) that matches a SectopRAT IOC, but it is not malicious.
Filter/Exclusion: process.user contains "research" or process.command_line contains "download" and process.user != "admin"