The detection identifies potential DCRat malware activity through associated IOCs, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]243[.]223:8080 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 91[.]92[.]243[.]63:7777 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["91.92.243.223", "91.92.243.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.243.223", "91.92.243.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes initiated by crontab or with USER field set to root and COMMAND containing known maintenance scripts (e.g., /usr/bin/logrotate, /usr/sbin/ntpdate).
Scenario: Admin task using wget to download a trusted internal artifact
Filter/Exclusion: Exclude processes where the command line includes a known internal server IP or domain (e.g., 10.0.0.1, internal-artifact.repo.example.com) and the file being downloaded is a known trusted asset.
Scenario: System update via yum or apt that includes a known malicious package
Filter/Exclusion: Exclude package installations where the package name matches a known internal or enterprise repository (e.g., *.repo, *.deb, *.rpm) and the source is a trusted package manager.
Scenario: Log collection tool like rsyslog or fluentd sending logs to a centralized SIEM
Filter/Exclusion: Exclude processes with COMMAND containing rsyslog, fluentd, or logstash and destination IP matching the internal SIEM server (e.g., 10.10.10.10).
Scenario: Use of tar or gzip for archiving sensitive data
Filter/Exclusion: Exclude processes where the command line includes tar or gzip and the destination path is within a known data archive directory (e.g., /backup/, /archive/).