DCRat is being used to establish persistent remote access and exfiltrate data through compromised Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate advanced persistent threats leveraging DCRat in their infrastructure.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]243[.]63:35631 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]92[.]243[.]63:35635 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["91.92.243.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.243.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using dcrat as part of a backup tool
Filter/Exclusion: Exclude processes where the command line includes --backup or --schedule and the parent process is a known backup tool (e.g., Veeam, Commvault).
Scenario: Admin using dcrat for internal monitoring or logging purposes
Filter/Exclusion: Exclude processes where the command line includes --log or --monitor and the user is a known admin with elevated privileges (e.g., root, Administrator).
Scenario: System update or patching tool using dcrat as part of its deployment process
Filter/Exclusion: Exclude processes where the command line includes --patch or --update and the parent process is a known patching tool (e.g., WSUS, SCCM).
Scenario: Internal development tool using dcrat for internal data collection
Filter/Exclusion: Exclude processes where the command line includes --dev or --internal and the user is part of a known development team (e.g., dev-team, engineering).
Scenario: Log aggregation tool using dcrat to collect and forward logs
Filter/Exclusion: Exclude processes where the command line includes --log-collect or --forward and the parent process is a known log aggregation tool (e.g., ELK Stack, Splunk).