The detection identifies potential DCRat malware activity through associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 94[.]26[.]90[.]55:8888 | botnet_cc | 2026-05-23 | 100% |
| ip:port | 93[.]177[.]103[.]55:9999 | botnet_cc | 2026-05-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["94.26.90.55", "93.177.103.55"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.26.90.55", "93.177.103.55"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude files or processes associated with Veeam, such as VeeamBackup.exe or paths like C:\Program Files\Veeam\Backup.
Scenario: Regular Windows Update or Group Policy refresh task
Filter/Exclusion: Exclude processes like wuauclt.exe or gupdate.exe, and filter out network traffic to Microsoft update servers.
Scenario: PowerShell script running a legitimate administrative task, such as user account management
Filter/Exclusion: Exclude PowerShell scripts executed from known administrative tools or paths like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Log management tool like Splunk or ELK Stack performing data ingestion
Filter/Exclusion: Exclude processes related to Splunk or Elasticsearch, such as splunkd.exe or elasticsearch.exe, and filter network traffic to known log management IPs.
Scenario: Database maintenance job using SQL Server Agent or Oracle DBMS_JOB
Filter/Exclusion: Exclude processes like sqlservr.exe or oracle.exe, and filter out database connection attempts to internal database servers.