AsyncRAT leverages specific IP:port pairs for command-and-control communication, indicating potential remote access and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]159[.]99[.]21:5080 | botnet_cc | 2026-06-02 | 75% |
| ip:port | 13[.]60[.]184[.]242:9999 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 13[.]60[.]184[.]242:8888 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 23[.]171[.]176[.]167:8808 | botnet_cc | 2026-06-02 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["13.60.184.242", "192.159.99.21", "23.171.176.167"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.60.184.242", "192.159.99.21", "23.171.176.167"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system updates using PowerShell
Description: A scheduled task runs a PowerShell script to download and install system updates from a known Microsoft server.
Filter/Exclusion: Exclude traffic to update.microsoft.com on port 443 when the source is a known patch management tool like Microsoft Endpoint Manager (MEM) or WSUS.
Scenario: Admin task using SSH to a remote server
Description: A system administrator uses SSH to connect to a remote server for maintenance or configuration changes.
Filter/Exclusion: Exclude outbound SSH traffic (port 22) to known internal or external admin servers, such as JumpServer, SSH Tectia, or OpenSSH managed by the IT department.
Scenario: Data export to a cloud storage bucket
Description: A legitimate data export job runs nightly to transfer files to a cloud storage bucket (e.g., AWS S3, Azure Blob Storage).
Filter/Exclusion: Exclude traffic to known cloud storage endpoints (e.g., s3.amazonaws.com, blob.core.windows.net) when the source is a known data migration tool like AWS DataSync or Azure Data Factory.
Scenario: Remote desktop connection to a virtual machine
Description: A user connects to a virtual machine using RDP to perform administrative tasks.
Filter/Exclusion: Exclude RDP traffic (port 3389) to known internal virtual machines managed by VMware vSphere, Microsoft Hyper-V, or AWS EC2 instances.
Scenario: Database backup to a remote server
Description: A database backup process runs daily to transfer data to a remote backup server.
Filter/Exclusion: Exclude traffic to known backup servers (e.g., backup.example.com) on port 443