Unusual outbound IP:port connections from internal hosts may indicate the presence of DCRat, a remote access Trojan used for data exfiltration and command execution. Proactively hunting for this behavior in Azure Sentinel helps SOC teams identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 82[.]23[.]246[.]160:12159 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 156[.]247[.]40[.]190:12159 | botnet_cc | 2026-06-03 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["156.247.40.190", "82.23.246.160"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["156.247.40.190", "82.23.246.160"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system backup using a known IP
Description: A backup tool (e.g., Veeam, Acronis) connects to a known IP address as part of a scheduled backup job.
Filter/Exclusion: process.name IN ("veeam.exe", "acronis.exe") OR destination.ip IN ("192.168.1.100")
Scenario: Admin using PowerShell for remote management
Description: An administrator uses PowerShell (e.g., Invoke-Command) to manage remote servers, which may trigger outbound connections.
Filter/Exclusion: process.name == "powershell.exe" AND user.name IN ("admin", "domainadmin")
Scenario: Software update via a known IP
Description: A legitimate software update (e.g., Microsoft Update, Adobe AIR) connects to a known IP for patch distribution.
Filter/Exclusion: destination.ip IN ("13.107.21.100", "203.0.113.45") OR process.name IN ("wuauclt.exe", "AdobeUpdater.exe")
Scenario: Database replication over a secure port
Description: A database (e.g., MySQL, PostgreSQL) replicates data to a secondary server using a secure port (e.g., 3306, 5432).
Filter/Exclusion: process.name IN ("mysqld.exe", "postgres.exe") AND destination.port IN (3306, 5432)
Scenario: Cloud sync tool syncing with a corporate endpoint
Description: A cloud sync tool (e.g., Dropbox, OneDrive) connects to a corporate endpoint for file synchronization.
Filter/Exclusion: `process.name