The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 102[.]46[.]221[.]148:8808 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 69[.]172[.]210[.]50:8808 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 172[.]94[.]18[.]103:72 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 158[.]220[.]96[.]15:3319 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 69[.]172[.]210[.]50:7001 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 83[.]142[.]209[.]7:8545 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 193[.]26[.]115[.]190:50050 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 69[.]172[.]210[.]50:5333 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 31[.]57[.]184[.]154:7008 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 104[.]234[.]240[.]68:7707 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["104.234.240.68", "83.142.209.7", "102.46.221.148", "193.26.115.190", "158.220.96.15", "31.57.184.154", "69.172.210.50", "172.94.18.103"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.234.240.68", "83.142.209.7", "102.46.221.148", "193.26.115.190", "158.220.96.15", "31.57.184.154", "69.172.210.50", "172.94.18.103"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate async file transfer tool usage
Description: A system administrator is using a legitimate async file transfer tool like rsync or scp to transfer large files between servers.
Filter/Exclusion: Exclude processes where the command line includes known legitimate async transfer tools (e.g., rsync, scp, robocopy).
Scenario: Scheduled backup job using async I/O
Description: A scheduled backup job (e.g., using Veeam, Commvault, or Bacula) is performing asynchronous I/O operations to a remote storage device.
Filter/Exclusion: Exclude processes with command lines or parent processes associated with backup tools (e.g., veeam, bacula, commvault).
Scenario: PowerShell script using asynchronous operations
Description: A PowerShell script is using async methods (e.g., async/await) to perform non-blocking I/O operations, such as downloading updates or logging data.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path is known to be legitimate (e.g., internal scripts stored in a trusted directory).
Scenario: System event log aggregation using async logging
Description: A system is using an async logging tool (e.g., ELK Stack, Splunk, or Graylog) to aggregate and forward event logs to a central server.
Filter/Exclusion: Exclude processes related to log aggregation tools (e.g., logstash, splunk, graylog) or those running from known log management directories.
Scenario: Virtualization or container management tasks
Description: A task related to virtual machine or container management (e.g., Vagrant, Docker, Kubernetes) is performing asynchronous I/O