The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised networks.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 178[.]16[.]53[.]46:7331 | botnet_cc | 2026-05-17 | 75% |
| ip:port | 154[.]29[.]72[.]21:6606 | botnet_cc | 2026-05-17 | 75% |
| ip:port | 65[.]21[.]21[.]227:5222 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["65.21.21.227", "154.29.72.21", "178.16.53.46"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["65.21.21.227", "154.29.72.21", "178.16.53.46"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule if it coincidentally matches an IOC associated with AsyncRAT.
Filter/Exclusion: Exclude processes where the command line includes rsync or backup in the command line arguments.
Scenario: System update using yum or apt
Description: A system update process using yum or apt may trigger the rule if it matches an IOC related to AsyncRAT.
Filter/Exclusion: Exclude processes where the command line includes yum update or apt upgrade.
Scenario: Admin task using netsh for network configuration
Description: An administrator using netsh to configure network settings may trigger the rule if the command line matches an IOC.
Filter/Exclusion: Exclude processes where the command line includes netsh and the user is a domain admin or has elevated privileges.
Scenario: Log collection using logrotate
Description: A log rotation task using logrotate may trigger the rule if it matches an IOC.
Filter/Exclusion: Exclude processes where the command line includes logrotate or /etc/logrotate.conf.
Scenario: PowerShell script for system monitoring
Description: A PowerShell script used for system monitoring (e.g., Get-EventLog, Get-Process) may trigger the rule if it matches an IOC.
Filter/Exclusion: Exclude processes where the command line includes powershell.exe and the script path is in a known monitoring or admin tool directory (e.g., C:\Windows\System32\).