The detection identifies potential DCRat malware activity through associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 128[.]90[.]115[.]181:7011 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 178[.]73[.]192[.]17:8848 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["178.73.192.17", "128.90.115.181"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.73.192.17", "128.90.115.181"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a file matching a DCRat IOC as part of a system update or patching process.
Filter/Exclusion: Check for process.parent_process containing “Task Scheduler” or “schtasks.exe” and ensure the file path is within a known update directory (e.g., C:\Windows\Temp\ or C:\Program Files\).
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PowerShell or WMIC to execute a script that temporarily matches a DCRat IOC due to similar file names or command-line arguments.
Filter/Exclusion: Filter by process.name containing “powershell.exe” or “wmic.exe” and check for known admin tools in the process.parent_process field.
Scenario: Log File Parsing Job
Description: A scheduled job runs a log parsing script that writes to a file with a name similar to a DCRat IOC (e.g., log_parser.exe), triggering the rule.
Filter/Exclusion: Use a filter on process.name to exclude known log parsing tools or check for the presence of a log file in a specific directory (e.g., C:\Logs\).
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool quarantines a file that matches a DCRat IOC, causing the rule to trigger during file access or modification.
Filter/Exclusion: Check for process.name containing “avg.exe”, “mcafee.exe”, or similar antivirus process names, and verify the file path is within a quarantine directory.
Scenario: DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins