The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]156[.]87[.]171:8808 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 198[.]23[.]185[.]82:8888 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 50[.]114[.]179[.]143:1209 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 34[.]106[.]231[.]199:6932 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 202[.]189[.]6[.]77:6606 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["34.106.231.199", "198.23.185.82", "202.189.6.77", "50.114.179.143", "45.156.87.171"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["34.106.231.199", "198.23.185.82", "202.189.6.77", "50.114.179.143", "45.156.87.171"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may trigger the rule due to the use of rsync in the command line, which is sometimes flagged as suspicious.
Filter/Exclusion: Exclude processes where the command line includes rsync and the user is a system or backup admin.
Scenario: Admin using wget to download a trusted internal artifact
Description: An administrator may use wget to download a trusted internal tool or configuration file, which could match an IOC associated with AsyncRAT.
Filter/Exclusion: Exclude processes where the command line includes a known internal URL or artifact name, and the user has elevated privileges.
Scenario: PowerShell script for system monitoring using Get-EventLog
Description: A legitimate PowerShell script that uses Get-EventLog to monitor system events may be flagged due to the presence of Get-EventLog in the command line.
Filter/Exclusion: Exclude processes where the script path is known and the user is a system admin with access to monitoring tools.
Scenario: Docker container deployment using docker-compose
Description: A Docker deployment using docker-compose may trigger the rule if the command line includes a suspicious-looking argument or path.
Filter/Exclusion: Exclude processes where the command line includes docker-compose and the user is part of the DevOps team with Docker access.
Scenario: System update using yum or apt with custom repositories
Description: A system update using yum or apt from a custom repository may trigger the rule if the repository URL or package name matches an IOC.
Filter/Exclusion: Exclude processes where the command line includes a known internal repository URL or package name,