The ThreatFox: DarkComet IOCs rule detects potential remote access and data exfiltration activities associated with the DarkComet RAT, which is commonly used by adversaries to maintain persistent access and execute arbitrary commands. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage DarkComet for long-term network compromise.
IOC Summary
Malware Family: DarkComet Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]131[.]3[.]57:1604 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 189[.]150[.]132[.]33:1604 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DarkComet
let malicious_ips = dynamic(["45.131.3.57", "189.150.132.33"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.131.3.57", "189.150.132.33"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using PowerShell
Description: A system administrator uses PowerShell to perform routine maintenance, such as updating software or configuring services, which may include commands similar to those used by DarkComet.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: Scheduled Job for Log Rotation
Description: A legitimate scheduled task runs a script to rotate and archive system logs, which may involve command-line tools or scripts that resemble DarkComet behavior.
Filter/Exclusion: process.name != "schtasks.exe" OR event_id != 100
Scenario: Admin Using Cobalt Strike for Red Team Exercise
Description: A red team member uses Cobalt Strike to simulate a breach, which may include command and control (C2) activities that match DarkComet IOCs.
Filter/Exclusion: process.name != "cobaltstrike.exe" OR user.name != "redteam_user"
Scenario: Database Backup Using SQLCMD
Description: A database administrator uses SQLCMD to perform a scheduled backup, which may involve executing scripts or commands that resemble malicious activity.
Filter/Exclusion: process.name != "sqlcmd.exe" OR event_id != 100
Scenario: User Running a Script for Network Monitoring
Description: A network administrator runs a custom script using Python or another scripting language to monitor network traffic, which may include commands that look like DarkComet IOCs.
Filter/Exclusion: process.name != "python.exe" OR process.args NOT LIKE '%network_monitor.py%'