The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging DCRat for command and control or data exfiltration.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]249[.]29[.]138:8848 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 209[.]99[.]190[.]172:8848 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 209[.]99[.]190[.]53:666 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["23.249.29.138", "209.99.190.172", "209.99.190.53"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["23.249.29.138", "209.99.190.172", "209.99.190.53"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from Microsoft Update.
Filter/Exclusion: Exclude PowerShell scripts that reference known Microsoft update URLs or use the Get-WindowsUpdate cmdlet.
Scenario: A Windows Task Scheduler job is configured to run a PowerShell script that performs routine system diagnostics, which includes querying WMI (Windows Management Instrumentation).
Filter/Exclusion: Exclude tasks that are scheduled under the Task Scheduler and use WMI queries or PowerShell scripts with known diagnostic tools.
Scenario: A SIEM log collection agent is configured to send logs to a central server using Syslog over TCP/UDP 514, which is a common enterprise logging protocol.
Filter/Exclusion: Exclude traffic on TCP/UDP 514 that originates from known SIEM agents or log collection tools like Splunk Universal Forwarder or Graylog.
Scenario: A Windows Event Log is being forwarded to a central logging server using EventLog forwarding, which includes Event ID 41 (Security Event Log).
Filter/Exclusion: Exclude events related to Event ID 41 or any event IDs associated with Windows Security Logs that are known to be part of standard logging operations.
Scenario: A Docker container is running a legitimate application that uses systemd for service management, which may include init scripts or systemctl commands.
Filter/Exclusion: Exclude processes running in Docker containers or those that use systemd commands associated with known containerized applications.