The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise network integrity and data confidentiality.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 7 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]81[.]17[.]44:6606 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 207[.]180[.]250[.]181:1111 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 207[.]180[.]250[.]181:6606 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 198[.]23[.]185[.]231:20100 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 158[.]94[.]208[.]192:1030 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 107[.]172[.]133[.]178:56003 | botnet_cc | 2026-06-10 | 75% |
| domain | ck444app.net | botnet_cc | 2026-06-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["207.180.250.181", "45.81.17.44", "198.23.185.231", "158.94.208.192", "107.172.133.178"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["207.180.250.181", "45.81.17.44", "198.23.185.231", "158.94.208.192", "107.172.133.178"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["ck444app.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell script is running a maintenance task that uses Invoke-WebRequest to download a file from a trusted internal repository.
Filter/Exclusion: Exclude any activity involving Invoke-WebRequest where the URL is from a known internal domain (e.g., internal-repo.corp.example.com).
Scenario: Admin using Cobalt Strike for red team exercise
Description: A security team is conducting a red team exercise using Cobalt Strike, which may generate network traffic similar to AsyncRAT IOCs.
Filter/Exclusion: Exclude traffic originating from a known red team IP or subnet (e.g., 10.10.10.0/24) or associated with a specific red team tool (e.g., CobaltStrike).
Scenario: Legitimate use of AWS S3 for file transfer
Description: A DevOps team is using AWS S3 to transfer files between environments, which may involve similar command-line tools or network traffic patterns.
Filter/Exclusion: Exclude any activity involving AWS S3 buckets or commands like aws s3 cp or aws s3 sync.
Scenario: System update using Chocolatey package manager
Description: A system update is being performed via Chocolatey, which may involve downloading packages from a trusted source that matches AsyncRAT IOCs.
Filter/Exclusion: Exclude any activity involving the Chocolatey package manager (choco install) or URLs from the official Chocolatey repository (chocolatey.org).
Scenario: Database backup using SQL Server Agent job
Description: A SQL Server Agent job is performing a backup to a remote storage location, which may involve similar network activity to AsyncRAT.
Filter/Exclusion: Exclude