The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]57[.]184[.]154:7707 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 142[.]202[.]188[.]247:8808 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 45[.]83[.]31[.]43:8080 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 77[.]93[.]152[.]138:8808 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 192[.]109[.]200[.]143:6606 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 46[.]246[.]4[.]17:1000 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 192[.]109[.]200[.]143:7707 | botnet_cc | 2026-05-06 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["77.93.152.138", "192.109.200.143", "31.57.184.154", "46.246.4.17", "45.83.31.43", "142.202.188.247"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["77.93.152.138", "192.109.200.143", "31.57.184.154", "46.246.4.17", "45.83.31.43", "142.202.188.247"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule due to the use of rsync in the command line, which is sometimes associated with malicious activity.
Filter/Exclusion: Exclude processes where the command line includes rsync and the user is a system or backup admin.
Scenario: System update using apt or yum
Description: System updates via package managers like apt or yum may include commands that resemble malicious IOCs, especially during package installation or script execution.
Filter/Exclusion: Exclude processes where the command line includes apt, apt-get, yum, or dnf and the user is a root or system admin.
Scenario: PowerShell script for administrative tasks
Description: A legitimate PowerShell script used for system administration (e.g., Invoke-Command, Start-Process) may trigger the rule due to the use of PowerShell cmdlets.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path is known to be from a trusted internal repository or admin tool.
Scenario: Log file rotation using logrotate
Description: The logrotate utility may generate commands that match some of the AsyncRAT IOCs, especially when handling log file operations.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the user is a system or log admin.
Scenario: Database backup using mysqldump
Description: A database backup using mysqldump may trigger the rule due to the use of command-line arguments that resemble malicious IOCs.
Filter/Exclusion: Exclude processes where the command line includes `mysq