The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]243[.]248[.]63:1805 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 172[.]94[.]18[.]103:76 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 48[.]202[.]58[.]22:2055 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 84[.]21[.]189[.]225:50194 | botnet_cc | 2026-05-18 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["48.202.58.22", "104.243.248.63", "84.21.189.225", "172.94.18.103"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["48.202.58.22", "104.243.248.63", "84.21.189.225", "172.94.18.103"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script that downloads a file from a trusted internal repository, which coincidentally matches an AsyncRAT IOC.
Filter/Exclusion: Exclude files downloaded from internal IP ranges (e.g., src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)) or files signed by a known internal CA.
Scenario: Admin using Cobalt Strike for red team exercise
Description: A red team administrator is using Cobalt Strike, which may have network activity that overlaps with AsyncRAT IOCs during a simulated attack.
Filter/Exclusion: Exclude processes initiated by known red team tools (e.g., process_name = "cobaltstrike.exe") or network connections to internal test environments.
Scenario: Legitimate software update using a known malicious-looking filename
Description: A software update from a trusted vendor uses a filename that matches an AsyncRAT IOC (e.g., update.exe), leading to a false positive.
Filter/Exclusion: Exclude files signed by known vendors (e.g., file_hash IN (known_vendor_hashes)) or files downloaded from official update servers.
Scenario: System backup using rsync or similar tools
Description: A backup process using rsync or robocopy transfers files that match AsyncRAT IOCs due to similar file names or paths.
Filter/Exclusion: Exclude file transfers involving known backup tools (e.g., process_name = "rsync.exe" OR process_name = "robocopy.exe") or files located in backup directories.
**Scenario: Legitimate remote management using