The detection identifies potential DCRat malware activity through associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 158[.]94[.]209[.]7:5022 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 85[.]239[.]149[.]95:7777 | botnet_cc | 2026-05-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["158.94.209.7", "85.239.149.95"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["158.94.209.7", "85.239.149.95"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: Exclude processes where schtasks.exe is used with a known legitimate task name (e.g., Windows Defender Maintenance or Disk Defragmenter).
Scenario: System update or patching process using msiexec.exe
Filter/Exclusion: Exclude processes where msiexec.exe is used with a known Microsoft update package (e.g., Windows10.22H2.msu or KB1234567.msu).
Scenario: Admin using PowerShell.exe to run a script for log analysis
Filter/Exclusion: Exclude processes where PowerShell.exe is launched with a known internal script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and script name like analyze-logs.ps1).
Scenario: Database backup using sqlcmd.exe or mysqldump
Filter/Exclusion: Exclude processes where sqlcmd.exe or mysqldump is used with known backup paths or credentials (e.g., C:\Program Files\MySQL\MySQL Server 8.0\bin\mysqldump.exe).
Scenario: Security tool or SIEM integration using splunkd.exe or elastic-agent
Filter/Exclusion: Exclude processes where splunkd.exe or elastic-agent is running as part of a known security tooling stack (e.g., C:\Program Files\Splunk\bin\splunkd.exe).