The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 13[.]60[.]184[.]242:8808 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 180[.]93[.]109[.]34:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 128[.]90[.]171[.]185:4444 | botnet_cc | 2026-06-06 | 50% |
| ip:port | 45[.]81[.]17[.]44:8808 | botnet_cc | 2026-06-06 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["128.90.171.185", "13.60.184.242", "45.81.17.44", "180.93.109.34"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["128.90.171.185", "13.60.184.242", "45.81.17.44", "180.93.109.34"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using async in command line
Description: A system administrator schedules a job using a tool like async (e.g., async in Python or a custom script) for asynchronous task processing.
Filter/Exclusion: Check for command_line containing "async" and exclude processes initiated by known admin tools or scheduled tasks with valid job names.
Scenario: Use of AsyncRAT-like names in legitimate software
Description: A developer or team uses a naming convention similar to AsyncRAT (e.g., AsyncUploader.exe) for a legitimate file transfer tool.
Filter/Exclusion: Exclude files with file extensions like .exe or .dll that are known to be part of legitimate software, or filter by file hashes from trusted sources.
Scenario: PowerShell script using async keyword
Description: A PowerShell script uses the async keyword for asynchronous operations, such as downloading updates or processing data.
Filter/Exclusion: Filter out PowerShell scripts that are not associated with known malicious patterns, or exclude scripts that are signed by trusted publishers.
Scenario: System update or patching tool with similar IOCs
Description: A system update tool (e.g., Windows Update, Chocolatey, or Ansible) may have IOCs that match the AsyncRAT detection rule.
Filter/Exclusion: Exclude processes initiated by known update tools or check for process parent processes that are associated with system update services.
Scenario: Legitimate remote management tool using AsyncRAT-like IOCs
Description: A remote management tool (e.g., PsExec, Powershell Remoting, or SSH) may use IOCs that resemble AsyncRAT due to similar command structures.
Filter/Exclusion: Exclude