The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]124[.]61[.]65:8088 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 157[.]20[.]182[.]17:1973 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 104[.]243[.]248[.]63:1807 | botnet_cc | 2026-05-27 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["104.243.248.63", "157.20.182.17", "138.124.61.65"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.243.248.63", "157.20.182.17", "138.124.61.65"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job uses rsync to transfer files across the network, which may match the network IOCs associated with AsyncRAT.
Filter/Exclusion: Exclude traffic originating from or destined to known backup servers, or filter by process.name = rsync and process.args contains "backup".
Scenario: Admin task using wget to download a trusted internal script
Description: An administrator uses wget to download a trusted internal script from an internal server, which may be flagged due to the use of wget or the URL pattern.
Filter/Exclusion: Exclude traffic to internal IP ranges, or filter by process.name = wget and destination.ip in internal_network.
Scenario: Software update using curl to a known internal repository
Description: A system performs a software update using curl to a known internal repository, which may match the command-line IOCs of AsyncRAT.
Filter/Exclusion: Exclude traffic to internal update servers, or filter by process.name = curl and destination.host contains "update".
Scenario: Log collection using logrotate with remote logging
Description: A log collection process uses logrotate with remote logging configured to a central log server, which may trigger the rule due to network or process IOCs.
Filter/Exclusion: Exclude traffic to log aggregation servers, or filter by process.name = logrotate and destination.host contains "logserver".
Scenario: Docker image pull using docker pull to a private registry
Description: A Docker container pulls an image from a private registry, which may be flagged due to the use of docker or the registry URL.
**Filter/