The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may have already established a foothold in the network.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 83[.]136[.]211[.]4:56001 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 83[.]136[.]211[.]4:56002 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 91[.]92[.]243[.]63:1000 | botnet_cc | 2026-05-18 | 100% |
| ip:port | 35[.]202[.]235[.]112:80 | botnet_cc | 2026-05-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["83.136.211.4", "35.202.235.112", "91.92.243.63"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["83.136.211.4", "35.202.235.112", "91.92.243.63"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule if it coincidentally matches one of the AsyncRAT IOCs (e.g., a command-line argument or file path).
Filter/Exclusion: Check for process.name = rsync and process.args contains "backup" or process.args contains "rsync".
Scenario: Admin using curl to download a legitimate update from a known server
Description: An administrator may use curl to fetch a software update from a trusted server, which could match an IOC associated with AsyncRAT.
Filter/Exclusion: Filter by process.name = curl and destination.hostname in ("trusted-update-server.com", "internal.repo.example.com").
Scenario: PowerShell script running a legitimate system cleanup task
Description: A PowerShell script used for system cleanup (e.g., Get-ChildItem, Remove-Item) may contain strings that match AsyncRAT IOCs.
Filter/Exclusion: Check for process.name = powershell and script.name contains "Cleanup.ps1" or script.name contains "Maintenance.ps1".
Scenario: Legitimate file transfer using scp between internal servers
Description: A file transfer between internal servers using scp may trigger the rule if the file path or command matches an IOC.
Filter/Exclusion: Filter by process.name = scp and source.hostname in ("internal-server-01", "internal-server-02") and destination.hostname in ("internal-server-03", "internal-server-04").
Scenario: System command to list files in a sensitive directory using ls or dir
Description: A system command to