The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying network scans and hardcoded IP:port combinations commonly used to compromise IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage DDoS botnet infections before they escalate into large-scale attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 15 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://boatbeach.online/main_mpsl | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_m68k | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_ppc | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_arm | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_x86_64 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/shcript.sh | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_arm7 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_mips | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_sh4 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_arm6 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_arm5 | payload_delivery | 2026-05-28 | 100% |
| url | hxxp://boatbeach.online/main_x86 | payload_delivery | 2026-05-28 | 100% |
| ip:port | 176[.]65[.]139[.]168:34241 | botnet_cc | 2026-05-28 | 80% |
| ip:port | 103[.]77[.]246[.]174:1999 | botnet_cc | 2026-05-28 | 80% |
| ip:port | 50[.]56[.]159[.]185:3778 | botnet_cc | 2026-05-28 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["50.56.159.185", "103.77.246.174", "176.65.139.168"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["50.56.159.185", "103.77.246.174", "176.65.139.168"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://boatbeach.online/main_mpsl", "http://boatbeach.online/main_m68k", "http://boatbeach.online/main_ppc", "http://boatbeach.online/main_arm", "http://boatbeach.online/main_x86_64", "http://boatbeach.online/shcript.sh", "http://boatbeach.online/main_arm7", "http://boatbeach.online/main_mips", "http://boatbeach.online/main_sh4", "http://boatbeach.online/main_arm6", "http://boatbeach.online/main_arm5", "http://boatbeach.online/main_x86"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled Network Scan Using Nmap
Description: A system administrator runs a scheduled Nmap scan to identify open ports and vulnerable devices on the internal network. This scan may trigger the Mirai IOC rule due to the use of common IP:port combinations.
Filter/Exclusion: nmap in the process name or nmap in the command line arguments.
Scenario: Automated Patching Job Using Ansible
Description: An Ansible playbook is executed to update firmware on IoT devices, which may involve connecting to devices using hardcoded IP addresses or ports. This can trigger the Mirai IOC rule.
Filter/Exclusion: ansible in the process name or ansible-playbook in the command line.
Scenario: Log Collection via Fluentd to ELK Stack
Description: Fluentd is used to collect logs from IoT devices and forward them to the ELK stack. The log collection process may involve connecting to devices using known IP:port pairs, which could be flagged by the Mirai IOC rule.
Filter/Exclusion: fluentd in the process name or fluentd in the command line arguments.
Scenario: Internal Security Tool Using Qualys for Asset Discovery
Description: Qualys is used to perform asset discovery and vulnerability scanning on internal IoT devices. This process may involve connecting to devices using standard IP:port combinations, which can be mistaken for Mirai activity.
Filter/Exclusion: qualys in the process name or qualys in the command line.
Scenario: System Maintenance Task Using Puppet for Configuration Management
Description: A Puppet agent is used to apply configuration changes to IoT devices, which may involve connecting to devices using predefined IP:port combinations. This could trigger the Mirai IOC rule.
*Filter/Exclusion