The detection identifies potential DCRat malware activity through three associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]16[.]52[.]203:1889 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 154[.]18[.]238[.]18:8848 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 104[.]194[.]157[.]45:7001 | botnet_cc | 2026-05-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["178.16.52.203", "154.18.238.18", "104.194.157.45"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.16.52.203", "154.18.238.18", "104.194.157.45"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or similar).
Filter/Exclusion: process.parent_process == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring or log analysis may include commands that resemble malicious activity (e.g., Get-EventLog, Invoke-Command).
Filter/Exclusion: process.image contains "powershell.exe" and process.command_line contains "Get-EventLog" or "Invoke-Command"
Scenario: Admin Tool for Remote Management
Description: An admin tool like PsExec or WinRM is used to remotely manage servers and may trigger IOC patterns due to its command-line interface.
Filter/Exclusion: process.image contains "psexec.exe" or process.image contains "winrm.exe"
Scenario: Software Update or Patching Job
Description: A legitimate patching or update job (e.g., using Windows Update or SCCM) may execute scripts or binaries that match the IOC signature.
Filter/Exclusion: process.command_line contains "wuauclt.exe" or "ccmexec.exe"
Scenario: Log Collection and Analysis Tool
Description: A log collection tool like Splunk or ELK Stack may execute processes that match the IOC pattern during data ingestion or indexing.
Filter/Exclusion: process.image contains "splunk.exe" or "logstash.exe" and process.command_line contains "input" or "output"