The ThreatFox: AsyncRAT IOCs rule detects potential command and control communications associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise critical systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 5 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | mauriciolizcano.com.co | botnet_cc | 2026-06-04 | 75% |
| domain | m-f168.com | botnet_cc | 2026-06-04 | 75% |
| domain | demuntleusden.nl | botnet_cc | 2026-06-04 | 75% |
| ip:port | 13[.]60[.]184[.]242:9000 | botnet_cc | 2026-06-04 | 100% |
| url | hxxps://wittylama.com/Stub.exe | payload_delivery | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["13.60.184.242"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.60.184.242"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["mauriciolizcano.com.co", "m-f168.com", "demuntleusden.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - AsyncRAT
let malicious_urls = dynamic(["https://wittylama.com/Stub.exe"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule due to the use of rsync in the command line, which is sometimes associated with malicious activity.
Filter/Exclusion: Exclude processes where the command line includes rsync and the user is a system or backup admin. Example filter: process.user == "backupadmin" && process.command_line contains "rsync"
Scenario: Admin using wget to download a trusted internal artifact
Description: An administrator may use wget to download a trusted internal artifact (e.g., a configuration file or script) from an internal server, which could be flagged due to the presence of wget in the command line.
Filter/Exclusion: Exclude processes where the source URL is internal and the user is a trusted admin. Example filter: process.source_ip == "10.0.0.0/8" && process.user == "sysadmin"
Scenario: PowerShell script using Invoke-WebRequest for legitimate API calls
Description: A PowerShell script using Invoke-WebRequest to interact with a legitimate API (e.g., for monitoring or automation) may be flagged due to the use of web request commands.
Filter/Exclusion: Exclude processes where the script path is known and the command includes a trusted API endpoint. Example filter: process.script_path == "C:\\scripts\\monitoring.ps1" && process.command_line contains "https://api.example.com"
Scenario: System update using yum or apt with custom repositories
Description: A system update process using yum or apt with a custom repository might trigger the rule if the repository URL or package name matches known malicious patterns.
Filter/Exclusion: Exclude processes