The detection identifies potential DCRat malware activity through associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]215[.]85[.]121:8849 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 188[.]126[.]90[.]12:2003 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["188.126.90.12", "91.215.85.121"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["188.126.90.12", "91.215.85.121"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/cron or /etc/cron.d/ in the command line arguments.
Scenario: Admin using tcpdump to capture network traffic for analysis
Filter/Exclusion: Exclude processes where the command line includes tcpdump with -i specifying a network interface and -w writing to a file.
Scenario: System update using yum or apt that includes known malicious package names
Filter/Exclusion: Exclude processes where the command line includes yum update or apt upgrade and the package name is in a known safe package list.
Scenario: Log analysis using logrotate to manage log files
Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/logrotate and the configuration file is in /etc/logrotate.d/.
Scenario: Database backup using mysqldump with a custom script
Filter/Exclusion: Exclude processes where the command line includes mysqldump and the output file is in a known backup directory like /backup/ or /var/backups/.