The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may have already established a foothold in the network.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]231[.]58[.]197:8808 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 67[.]21[.]33[.]47:443 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["67.21.33.47", "5.231.58.197"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["67.21.33.47", "5.231.58.197"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using async command-line tool
Description: A system administrator schedules a job using the async command-line utility for asynchronous task processing.
Filter/Exclusion: Exclude processes where the command line contains async and the parent process is a known system service (e.g., cron, systemd, or task scheduler).
Scenario: Use of async in a legitimate DevOps pipeline
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses the async command to manage background tasks during deployment.
Filter/Exclusion: Exclude processes where the command line includes async and the process is initiated by a known DevOps tool (e.g., jenkins, gitlab-runner, or docker).
Scenario: Admin task using async for log analysis
Description: A security analyst runs a script using the async command to process and analyze log files in real-time.
Filter/Exclusion: Exclude processes where the command line includes async and the user is a known security analyst or admin (e.g., root, security, or admin).
Scenario: Legitimate use of async in a custom script
Description: A developer uses a custom script named async.sh to handle asynchronous operations, such as data processing or API calls.
Filter/Exclusion: Exclude processes where the command line includes async.sh and the script is located in a known development directory (e.g., /home/dev/scripts/).
Scenario: Use of async in a legitimate cloud orchestration tool
Description: A cloud orchestration tool (e.g., Terraform, Ansible) uses the async module to manage asynchronous tasks during infrastructure provisioning.