The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be operating undetected within their environment.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]73[.]218[.]13:1000 | botnet_cc | 2026-05-21 | 50% |
| ip:port | 45[.]154[.]98[.]84:9999 | botnet_cc | 2026-05-21 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["45.154.98.84", "178.73.218.13"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.154.98.84", "178.73.218.13"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using async in script name
Description: A scheduled job or automation script uses the word “async” in its name, which may trigger the rule.
Filter/Exclusion: process.name != "async*" or process.name notcontains "async"
Scenario: Admin task using async in PowerShell script
Description: An administrator runs a PowerShell script that includes the term “async” for asynchronous operations, which may be flagged.
Filter/Exclusion: process.name != "powershell.exe" OR process.name notcontains "async"
Scenario: Use of AsyncRAT-related tools in incident response
Description: Security teams may use tools with similar names to AsyncRAT during incident response or forensic analysis.
Filter/Exclusion: process.name notcontains "AsyncRAT" AND process.name notcontains "ThreatFox"
Scenario: Legitimate software with “Async” in its name
Description: A legitimate application or service (e.g., AsyncHTTPServer, AsyncLogger) may have “Async” in its name, triggering the rule.
Filter/Exclusion: process.name notcontains "Async" OR process.name notcontains "AsyncRAT"
Scenario: False positive from a third-party tool with similar IOCs
Description: A third-party tool or service may share IOCs with AsyncRAT (e.g., async-logger, async-queue) leading to a false positive.
Filter/Exclusion: process.name notcontains "async-logger" AND process.name notcontains "async-queue"