ThreatFox: Mirai IOCs

Hunt Hypothesis

The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.

IOC Summary

Malware Family: Mirai Total IOCs: 2 IOC Types: domain

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["shell.botnet.st", "real.botnet.st"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

References

• ThreatFox — Mirai

False Positive Guidance

• Scenario: System backup process using tar or rsync that includes /etc/ directory
  Filter/Exclusion: Exclude processes where the command line includes tar --exclude=/etc or rsync --exclude=/etc

• Scenario: Scheduled job running ntpdate or chronyd to synchronize time with NTP servers
  Filter/Exclusion: Exclude processes where the command line includes ntpdate or chronyd and the destination IP is a known NTP server (e.g., 0.pool.ntp.org)

• Scenario: Admin task using curl or wget to download a configuration file from an internal repository
  Filter/Exclusion: Exclude processes where the command line includes curl https://internal-repo.example.com/config or wget https://internal-repo.example.com/config

• Scenario: Logrotate utility executing a script to rotate and compress log files
  Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/logrotate and the log file path is within /var/log/

• Scenario: Network monitoring tool like nmap or tcpdump performing routine network scans or packet capture
  Filter/Exclusion: Exclude processes where the command line includes nmap --script or tcpdump -i eth0 with a known internal IP range (e.g., 192.168.0.0/16)