The ThreatFox: DCRat IOCs rule detects potential command and control activity associated with the DCRat malware, leveraging known indicators to identify compromised endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or maintaining long-term access within the network.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]16[.]55[.]108:207 | botnet_cc | 2026-05-24 | 75% |
| ip:port | 176[.]123[.]1[.]139:1024 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 85[.]239[.]149[.]95:8888 | botnet_cc | 2026-05-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["85.239.149.95", "178.16.55.108", "176.123.1.139"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.239.149.95", "178.16.55.108", "176.123.1.139"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern (e.g., C:\Windows\System32\svchost.exe or similar).
Filter/Exclusion: process.parent_process == "task scheduler" or process.command_line contains "schtasks.exe"
Scenario: Windows Update or Patching Job
Description: A Windows Update or patching job executes a script or executable that matches the IOC pattern.
Filter/Exclusion: process.command_line contains "wuauclt.exe" or process.parent_process == "Windows Update"
Scenario: Administrative Tool Execution
Description: An admin uses a legitimate tool like PsExec or WMIC to execute a script or command that matches the IOC pattern.
Filter/Exclusion: process.command_line contains "psexec.exe" or process.command_line contains "wmic.exe"
Scenario: Log Management Tool Processing
Description: A log management tool like Splunk or ELK Stack runs a script or process that matches the IOC pattern during log ingestion.
Filter/Exclusion: process.parent_process contains "splunkd.exe" or process.parent_process contains "java.exe" (ELK)
Scenario: Script Execution via PowerShell or CMD
Description: A legitimate PowerShell or CMD script is run by an admin that includes a file or command matching the IOC pattern.
Filter/Exclusion: process.command_line contains "powershell.exe" or process.command_line contains "cmd.exe" with a known admin script path.