S9017: DCRAT
Analyst context for executives and security teams
DCRAT is a Windows remote access tool identified by ATT&CK as a C# variant of AsyncRAT with added capability to patch Microsoft AMSI. For leaders, the material issue is not the tool name alone: this is the type of software that can combine remote access, credential collection, encrypted command-and-control, obfuscated files, and security-tool impairment, which can reduce visibility during an incident.
Executive priority
Treat this as a readiness and control-validation item for Windows endpoint security, SOC visibility, and incident response. Executives should ask whether the organization can prove collection of endpoint, security-tool health, credential-access, and network telemetry needed to investigate RAT behavior, especially where business operations depend on Windows workstations or administrator activity. Because ATT&CK links DCRAT to APT-C-36, a group described as targeting government and several sectors in Colombia and Latin America, regional exposure and sector relevance may affect threat intelligence prioritization, but local risk should be based on environment evidence rather than attribution assumptions.
Technical view
ATT&CK lists DCRAT as Windows software and describes it as a C# AsyncRAT variant with AMSI patching capability. Relationship context maps it to encrypted or encoded files, keylogging, asymmetric cryptography for command-and-control, and disabling or modifying tools. SOC and IR teams should validate whether Windows endpoint logging can show suspicious .NET/C# process behavior, AMSI or security-control tampering, encoded/encrypted file artifacts, credential collection indicators such as keylogging behavior, and unusual encrypted outbound communications. ATT&CK does not provide a detection analytic, so coverage must be derived from local telemetry and tested detections rather than assumed from the ATT&CK entry.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Security product, AV, EDR, and AMSI health or tamper events
- File creation and modification telemetry for encoded, encrypted, or otherwise obfuscated artifacts
- Credential-access and user-input monitoring signals relevant to keylogging behavior
- Network connection, DNS, proxy, firewall, and TLS/session metadata for outbound command-and-control investigation
Detection direction
- Build detections around behavior clusters rather than the DCRAT name: security-tool impairment, AMSI tampering, obfuscated files, credential collection, and encrypted outbound communications.
- Validate that security-control tamper alerts are centrally collected and cannot be silently disabled without SOC visibility.
- Correlate potential keylogging indicators with process lineage, user context, persistence or remote-access behavior, and outbound network activity to reduce false positives from legitimate accessibility, monitoring, or administration software.
- Review egress visibility for encrypted command-and-control patterns; asymmetric cryptography may limit payload inspection, increasing reliance on metadata, destination reputation, process-to-network correlation, and host artifacts.
- Use the APT-C-36 relationship as threat-intelligence context for prioritization, not as proof of actor involvement in any local alert.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for AMSI, AV, EDR, and logging-agent tampering.
- Ensure SOC playbooks cover RAT investigations that include credential collection, encrypted C2, and defense impairment.
- Restrict unnecessary outbound communications and require network logging sufficient for incident reconstruction.
- Strengthen credential protections and privileged access practices because keylogging can expose credentials even when password stores are protected.
- Maintain IR readiness for host isolation, forensic acquisition, credential rotation, and validation that security tooling remains functional after containment.
Analyst notes and limits
This take is based on ATT&CK S9017 for DCRAT, its official description, the Zscaler external reference, and supplied relationships to APT-C-36 and techniques T1027.013, T1056.001, T1573.002, and T1685. The most decision-useful point is visibility validation: DCRAT-related behaviors can directly challenge endpoint detection and credential security, but the ATT&CK object does not supply a ready-made detection.
ATT&CK lists no tactics, aliases, labels, or official detection for DCRAT. The object has a single supplied external research reference and should not be used alone to claim active exploitation, local exposure, or actor attribution. The object platform is Windows; some related technique platform metadata is broader or not Windows-specific, so defenders should validate applicability in their own environment.
DCRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | DCRAT can use certificate-based authentication for C2 servers.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DCRAT can log keystrokes on targeted systems.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The DCRAT configuration file is encrypted using AES-256.CitationZscaler BlindEagle DEC 2025 |
| Enterprise | T1685 | Disable or Modify Tools | DCRAT can patch Microsoft’s Antimalware Scan Interface (AMSI) to evade detection.CitationZscaler BlindEagle DEC 2025 |
Groups, software, and campaigns
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 25ad746d7f25… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler BlindEagle DEC 2025
Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.
Open source URL -
[2]
mitre-attack S9017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.