The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 147[.]124[.]216[.]58:80 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 34[.]75[.]35[.]194:8808 | botnet_cc | 2026-05-12 | 100% |
| ip:port | 37[.]72[.]172[.]58:7077 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 89[.]213[.]118[.]219:2000 | botnet_cc | 2026-05-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["89.213.118.219", "147.124.216.58", "34.75.35.194", "37.72.172.58"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.213.118.219", "147.124.216.58", "34.75.35.194", "37.72.172.58"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a cron job that uses crontab to run a legitimate maintenance script, which may include the string async in the script name or command.
Filter/Exclusion: Exclude processes where the command line includes crontab or where the process is owned by a system admin user (e.g., root, admin, sysadmin).
Scenario: Use of Async in a legitimate PowerShell script for asynchronous tasks
Description: A DevOps engineer uses a PowerShell script named AsyncTask.ps1 that leverages asynchronous operations using async/await keywords for efficient task management.
Filter/Exclusion: Exclude PowerShell scripts where the file name or content includes async and the script is located in a known DevOps or script repository path (e.g., /opt/devops/).
Scenario: Administrative task using Async in a Python script for batch processing
Description: A developer runs a Python script named async_batch_processor.py that uses asynchronous I/O for batch data processing, which is part of a regular ETL (Extract, Transform, Load) pipeline.
Filter/Exclusion: Exclude processes where the script path contains etl/ or batch/, and the user is a member of the devops or data_engineer group.
Scenario: Legitimate use of Async in a network monitoring tool
Description: A network monitoring tool like AsyncIO is used to monitor network traffic asynchronously, which may include the string async in its command-line arguments or logs.
Filter/Exclusion: Exclude processes where the binary name or command line includes asyncio or AsyncIO, and the process is