The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 209[.]99[.]185[.]96:3001 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 209[.]99[.]185[.]96:7000 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 209[.]99[.]185[.]96:2222 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 103[.]241[.]64[.]92:4782 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 209[.]99[.]185[.]96:9999 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 216[.]250[.]249[.]36:80 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 209[.]99[.]185[.]96:3000 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 128[.]90[.]63[.]86:4444 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 209[.]99[.]185[.]96:2025 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["216.250.249.36", "128.90.63.86", "103.241.64.92", "209.99.185.96"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["216.250.249.36", "128.90.63.86", "103.241.64.92", "209.99.185.96"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule due to the use of command-line tools that resemble malicious activity.
Filter/Exclusion: Exclude processes initiated by the cron scheduler and containing the string rsync in their command line.
Scenario: Admin using wget to download a trusted internal artifact
Description: An administrator may use wget to download a trusted internal file from a known internal server, which could match an IOC from AsyncRAT.
Filter/Exclusion: Exclude traffic originating from known admin workstations and targeting internal IP ranges (e.g., 10.0.0.0/8).
Scenario: Use of curl for API calls to a legitimate internal service
Description: A legitimate application may use curl to interact with an internal API, which could be flagged due to similar command-line usage as AsyncRAT.
Filter/Exclusion: Exclude traffic to internal services (e.g., 10.10.0.0/16) and filter by known internal API endpoints.
Scenario: PowerShell script for system monitoring using Get-EventLog
Description: A PowerShell script used for system monitoring may include commands that resemble malicious activity, such as Get-EventLog, which could match AsyncRAT IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by the System or LocalService accounts, and filter by known monitoring scripts.
Scenario: Use of tar for decompressing a legitimate software package
Description: A legitimate software deployment may involve using tar to extract files, which could be flagged due to the presence of suspicious command-line arguments.
Filter/Exclusion: Exclude processes initiated by