The DarkComet IOCs detected indicate potential command and control communication by an adversary leveraging compromised endpoints to exfiltrate data and maintain persistent access. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage DarkComet infections before significant data loss or network compromise occurs.
IOC Summary
Malware Family: DarkComet Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]131[.]3[.]57:1604 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 189[.]150[.]132[.]33:1604 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DarkComet
let malicious_ips = dynamic(["189.150.132.33", "45.131.3.57"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["189.150.132.33", "45.131.3.57"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using DarkComet-Related Tools
Description: A system administrator schedules a job using a tool like schtasks.exe to run a legitimate script or maintenance task that happens to use a filename or registry key matching DarkComet IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or check for the presence of a known legitimate script path in the command line.
Scenario: Admin Task Involving File Integrity Monitoring (FIM) Tools
Description: A security admin uses a tool like Tripwire or Microsoft Advanced Threat Protection (ATP) to scan for changes in files, which may include files with names similar to those associated with DarkComet.
Filter/Exclusion: Exclude processes originating from known FIM tools or check for the presence of a FIM tool’s executable in the process tree.
Scenario: Legitimate Log Analysis Using PowerShell Scripts
Description: A security analyst runs a PowerShell script using powershell.exe to analyze logs, which may include commands or file paths that match DarkComet IOCs.
Filter/Exclusion: Exclude processes where the command line includes known log analysis scripts or check for the presence of a security analyst’s user account in the process owner.
Scenario: System Update or Patching Using Windows Update
Description: A system update process, initiated by wuauclt.exe, may temporarily create files or registry entries that match DarkComet IOCs due to shared naming conventions.
Filter/Exclusion: Exclude processes initiated by wuauclt.exe or check for the presence of a Windows update-related path in the command line.
Scenario: Legitimate File Transfer Using Robocopy or PsExec
Description: An admin uses robocopy.exe or `psex