The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 206[.]123[.]152[.]144:5900 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 46[.]109[.]51[.]69:8808 | botnet_cc | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["46.109.51.69", "206.123.152.144"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.109.51.69", "206.123.152.144"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may trigger the rule if it involves network IOCs associated with AsyncRAT.
Filter/Exclusion: process.name = rsync or process.parent.name = systemd and process.command_line contains "backup"
Scenario: Admin using wget to download a trusted internal artifact
Description: An administrator may use wget to fetch a legitimate internal file, which could match an IOC from AsyncRAT if the file path is similar.
Filter/Exclusion: process.name = wget and destination.path contains "/internal/artifacts/"
Scenario: PowerShell script for system monitoring using Get-EventLog
Description: A PowerShell script that uses Get-EventLog or Get-WinEvent for monitoring purposes may trigger the rule if it includes IOCs from AsyncRAT.
Filter/Exclusion: process.name = powershell and script.name contains "monitoring.ps1"
Scenario: Docker container running a legitimate application with network IOCs
Description: A Docker container might have network connections that match AsyncRAT IOCs if the application uses similar endpoints.
Filter/Exclusion: process.parent.name = docker and process.command_line contains "run -d"
Scenario: Log collection tool using logrotate and rsyslog
Description: A log collection setup using logrotate and rsyslog may involve network IOCs that match AsyncRAT patterns.
Filter/Exclusion: process.name = rsyslog or process.name = logrotate and destination.path contains "/var/log/"