The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 204[.]194[.]54[.]9:7707 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 204[.]194[.]54[.]9:8808 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 204[.]194[.]54[.]9:6606 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 194[.]11[.]246[.]191:4404 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 194[.]11[.]246[.]191:6606 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 107[.]182[.]130[.]52:8808 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 140[.]82[.]0[.]91:8808 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 107[.]175[.]149[.]62:9909 | botnet_cc | 2026-06-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["140.82.0.91", "107.182.130.52", "194.11.246.191", "107.175.149.62", "204.194.54.9"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["140.82.0.91", "107.182.130.52", "194.11.246.191", "107.175.149.62", "204.194.54.9"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or command).
Filter/Exclusion: Check for crontab entries or use a filter like process.parent_process_name == "crontab" or process.command_line contains "crontab".
Scenario: Use of wget or curl for legitimate software updates
Description: A legitimate software update process uses wget or curl to download files from a known domain, which may be flagged as an AsyncRAT IOC.
Filter/Exclusion: Filter by process.name == "wget" or process.name == "curl" and check for known update domains in the command line.
Scenario: Admin task using ps or top for process monitoring
Description: An administrator runs ps or top to monitor system processes, which may include commands or paths that match AsyncRAT IOCs.
Filter/Exclusion: Filter for process.name == "ps" or process.name == "top" and exclude processes with known admin tools or system monitoring scripts.
Scenario: Use of tar or gzip for archiving logs
Description: A log archiving task uses tar or gzip with filenames or paths that match AsyncRAT IOCs.
Filter/Exclusion: Filter for process.name == "tar" or process.name == "gzip" and check for log-related command-line arguments.
Scenario: Legitimate remote management tool (e.g., ssh, scp) activity
Description: A remote administration task using ssh or