The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]81[.]243[.]44:8808 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 205[.]209[.]106[.]158:6606 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 205[.]209[.]106[.]158:8808 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 205[.]209[.]106[.]158:4444 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 13[.]140[.]160[.]249:8808 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 102[.]220[.]160[.]250:7829 | botnet_cc | 2026-06-22 | 75% |
| ip:port | 216[.]250[.]250[.]247:4521 | botnet_cc | 2026-06-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["102.220.160.250", "45.81.243.44", "205.209.106.158", "13.140.160.249", "216.250.250.247"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["102.220.160.250", "45.81.243.44", "205.209.106.158", "13.140.160.249", "216.250.250.247"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or path).
Filter/Exclusion: Check for crontab entries or use the process.parent field to identify if the process is initiated by a known legitimate scheduler (e.g., cron, systemd, or task scheduler).
Scenario: Use of wget or curl for legitimate software updates
Description: A system administrator uses wget or curl to download a legitimate software update from a trusted source, which may match an AsyncRAT IOC (e.g., a URL or command-line argument).
Filter/Exclusion: Filter by process.name to exclude wget or curl, or check the destination field to ensure it matches a known trusted update server.
Scenario: Execution of a legitimate PowerShell script with Invoke-Command
Description: A PowerShell script is executed using Invoke-Command to perform a routine administrative task, and the script name or command-line arguments match an AsyncRAT IOC.
Filter/Exclusion: Use process.name to exclude powershell.exe or check the script field to verify if it’s a known legitimate script.
Scenario: Use of rsync for data synchronization between servers
Description: A legitimate rsync job is running between servers, and the command-line arguments or file paths match an AsyncRAT IOC.
Filter/Exclusion: Filter by process.name to exclude rsync, or use destination/source fields to verify if the transfer is between known internal servers.
**Scenario