The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]243[.]248[.]63:1802 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 45[.]133[.]180[.]130:8808 | botnet_cc | 2026-05-08 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["45.133.180.130", "104.243.248.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.133.180.130", "104.243.248.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Filter/Exclusion: Exclude processes initiated by crontab or with USER field set to root and COMMAND containing crontab or cron.
Scenario: Admin using wget to download a trusted internal artifact
Filter/Exclusion: Exclude processes where the command line includes wget and the URL matches a known internal artifact repository (e.g., internal-repo.example.com).
Scenario: Use of tar to extract a legitimate software package
Filter/Exclusion: Exclude processes where the command line includes tar and the file path matches a known internal software distribution path (e.g., /opt/software/).
Scenario: System update using yum or apt with known good packages
Filter/Exclusion: Exclude processes where the command line includes yum or apt and the package name matches a known internal or upstream repository package.
Scenario: Use of rsync for legitimate data synchronization between servers
Filter/Exclusion: Exclude processes where the command line includes rsync and the source or destination paths are within a known internal network or shared storage location.