The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | naked18.net | botnet_cc | 2026-04-18 | 100% |
| domain | malware.naked18.net | botnet_cc | 2026-04-18 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["naked18.net", "malware.naked18.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known secure source.
Filter/Exclusion: Exclude PowerShell scripts that originate from trusted update servers (e.g., https://download.microsoft.com or https://updates.symantec.com).
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to execute a script that connects to a remote SQL server using a valid connection string.
Filter/Exclusion: Exclude connections to known internal SQL servers (e.g., sqlserver.internal.corp or 10.0.0.10) and scripts that use valid credentials from the domain.
Scenario: A DevOps engineer is deploying a containerized application using Docker and a Kubernetes (K8s) cluster, which involves pulling images from a private registry.
Filter/Exclusion: Exclude image pulls from internal Docker registries (e.g., registry.internal.corp:5000) and containers with known legitimate application names.
Scenario: A system administrator is using Windows Task Scheduler to run a daily backup job that connects to a remote backup server.
Filter/Exclusion: Exclude tasks that are scheduled and run from the System or LocalSystem account, and that connect to known internal backup servers (e.g., backupserver.corp).
Scenario: A developer is using Git to clone a repository from a private GitLab instance, which involves a connection to the internal Git server.
Filter/Exclusion: Exclude Git operations that connect to internal GitLab instances (e.g., gitlab.internal.corp) and are initiated from known development machines.