The hunt hypothesis detects potential SectopRAT malware activity through identified IOCs, which are commonly used for command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: SectopRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 212[.]86[.]114[.]77:9000 | botnet_cc | 2026-05-17 | 75% |
| ip:port | 45[.]76[.]86[.]194:9000 | botnet_cc | 2026-05-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["45.76.86.194", "212.86.114.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.76.86.194", "212.86.114.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a known secure source.
Filter/Exclusion: Exclude PowerShell scripts that download from https://update.examplecorp.com or use the Invoke-WebRequest cmdlet with a known enterprise update URL.
Scenario: A security analyst is performing a Windows Event Log analysis using LogParser to query for suspicious activity, which includes parsing files with known IOCs.
Filter/Exclusion: Exclude processes initiated by LogParser.exe or any process with the command line containing logparser or eventlog.
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that interacts with a remote server for asset inventory, which includes connecting to a known internal IP address.
Filter/Exclusion: Exclude connections to internal IPs within the corporate network range (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or processes initiated by Task Scheduler.
Scenario: A Windows Service is configured to periodically check for configuration updates from a central management server, which involves downloading files from a known internal repository.
Filter/Exclusion: Exclude processes associated with the service name (e.g., ConfigUpdateService) or connections to internal update servers (e.g., https://config.update.corp.example.com).
Scenario: A Windows Admin Center session is being used to remotely manage a server, and the session includes the use of PowerShell Remoting to execute commands, which may include IOCs from legitimate administrative tasks.
Filter/Exclusion: Exclude PowerShell remoting sessions initiated from the Windows Admin Center or processes with the `Microsoft.Power