The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]235[.]185[.]43:12159 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 181[.]235[.]14[.]94:3588 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 146[.]70[.]51[.]74:7898 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["23.235.185.43", "181.235.14.94", "146.70.51.74"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["23.235.185.43", "181.235.14.94", "146.70.51.74"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script that uses certutil to import a certificate, which may be flagged as an IOC.
Filter/Exclusion: Exclude ProcessName = "powershell.exe" where CommandLine contains certutil -addstore and TaskName includes “System Maintenance”.
Scenario: Admin using Process Monitor to debug a service
Description: An administrator uses Process Monitor (ProcMon) to investigate a service, which may trigger IOCs related to file system access.
Filter/Exclusion: Exclude ProcessName = "procmon.exe" or ProcessName = "procmon64.exe" and filter by ProcessUser = "Administrator".
Scenario: Regular use of certutil for certificate management
Description: IT staff regularly use certutil to manage certificates, which may be flagged as part of DCRat IOCs.
Filter/Exclusion: Exclude ProcessName = "certutil.exe" where CommandLine contains -addstore or -export and User is a known admin account.
Scenario: Deployment of a legitimate endpoint protection tool
Description: A security tool like CrowdStrike Falcon or Microsoft Defender is deployed, and its installation or update process may trigger DCRat-related IOCs.
Filter/Exclusion: Exclude ProcessName matching the security tool’s executable name (e.g., falcon.exe, mpcmdrun.exe) and check for User being a known security team member.
Scenario: Use of icacls for file permissions management
Description: An admin uses icacls to modify file permissions, which may be mistaken for malicious activity due to similar command structures.
**Filter/Exclusion