The detection identifies potential DCRat malware activity through associated IOCs, indicating possible remote command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging DCRat before significant data exfiltration or system compromise occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 82[.]47[.]101[.]191:8848 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 46[.]246[.]82[.]18:8848 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["82.47.101.191", "46.246.82.18"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.47.101.191", "46.246.82.18"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or a known benign file path).
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.file_path contains "System32"
Scenario: Windows Update or Patching Job
Description: A Windows Update or patching job triggers a process that matches the IOC (e.g., C:\Windows\Temp\update.exe or similar).
Filter/Exclusion: process.file_path contains "WindowsUpdate" or process.parent_process_name contains "wuauclt.exe"
Scenario: Administrative Tool Execution
Description: An admin runs a legitimate tool like PowerShell.exe or taskkill.exe that may have a file path or command line matching the IOC.
Filter/Exclusion: process.file_name contains "PowerShell.exe" or process.file_name contains "taskkill.exe"
Scenario: Log Management or SIEM Tool
Description: A log management tool like Splunk or ELK runs a process that may have a file path or command line matching the IOC.
Filter/Exclusion: process.file_name contains "splunk.exe" or process.file_name contains "logstash.exe"
Scenario: Scripting or Automation Job
Description: A script or automation job (e.g., using PowerShell, Python, or Batch) runs a process that matches the IOC due to a shared file name or path.
Filter/Exclusion: process.file_name contains "powershell.exe" or process.file_name contains "python.exe"