The hunt hypothesis detects potential SectopRAT activity, where an adversary may be exfiltrating data, executing arbitrary commands, or maintaining persistent access to a compromised system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss or system compromise occurs.
IOC Summary
Malware Family: SectopRAT Total IOCs: 4 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 194[.]246[.]83[.]43:9000 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 151[.]59[.]139[.]193:8080 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 193[.]143[.]1[.]186:80 | payload_delivery | 2026-05-06 | 100% |
| url | hxxps://sendmay.icu/ | payload_delivery | 2026-05-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - SectopRAT
let malicious_ips = dynamic(["194.246.83.43", "193.143.1.186", "151.59.139.193"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.246.83.43", "193.143.1.186", "151.59.139.193"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - SectopRAT
let malicious_urls = dynamic(["https://sendmay.icu/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A system administrator uses schtasks.exe to schedule a legitimate maintenance task, such as a database backup or log cleanup.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known legitimate command-line arguments or associated with trusted user accounts (e.g., SYSTEM, Administrator).
Scenario: PowerShell script for system monitoring
Description: A security analyst runs a PowerShell script using powershell.exe to monitor system performance or collect logs, which may include commands similar to those used by SectopRAT.
Filter/Exclusion: Exclude processes where the command line includes -Command or -File with paths pointing to known internal scripts or tools (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Admin task using taskmgr.exe
Description: An administrator uses Task Manager (taskmgr.exe) to manually terminate or configure processes, which may involve similar command-line interactions as SectopRAT.
Filter/Exclusion: Exclude processes initiated by taskmgr.exe or executed under a user account with administrative privileges and a known legitimate activity pattern.
Scenario: Legitimate remote management tool (e.g., Microsoft Remote Desktop, TeamViewer)
Description: A remote administrator uses a legitimate remote access tool to manage a server, which may involve similar network activity or process execution as SectopRAT.
Filter/Exclusion: Exclude connections or processes associated with known remote access tools (e.g., mstsc.exe, teamviewer.exe) or IP addresses from trusted internal networks.
Scenario: Software update or patching process
Description: A patching tool or update manager (e.g., Windows Update,