The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known command-and-control servers and compromised devices commonly associated with this malware. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate Mirai-based botnet infections before they can cause widespread network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]159[.]99[.]110:2049 | payload_delivery | 2026-06-15 | 100% |
| ip:port | 124[.]198[.]131[.]252:2049 | payload_delivery | 2026-06-15 | 100% |
| ip:port | 92[.]42[.]100[.]131:4568 | payload_delivery | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["192.159.99.110", "92.42.100.131", "124.198.131.252"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.159.99.110", "92.42.100.131", "124.198.131.252"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using nc (Netcat)
Description: A legitimate system backup process uses nc to transfer backup files over a local network.
Filter/Exclusion: process.name != "nc" OR network.destination_ip != "192.168.1.0/24"
Scenario: Admin Task Using nc for Remote Debugging
Description: A system administrator uses nc to remotely debug a service on an internal host.
Filter/Exclusion: process.user != "root" OR network.destination_ip != "10.0.0.0/8"
Scenario: Cron Job Running nc for Monitoring Purposes
Description: A cron job runs nc to monitor network connectivity or service availability.
Filter/Exclusion: process.command_line LIKE '%cron%' OR process.name != "nc"
Scenario: Log Shipper Using nc to Send Logs to a Central Server
Description: A log shipper tool (e.g., logrotate, rsyslog, or fluentd) uses nc to send logs to a central logging server.
Filter/Exclusion: process.name != "nc" OR network.destination_ip != "10.10.0.0/16"
Scenario: Internal Network Discovery Tool Using nc
Description: A network discovery tool (e.g., nmap, arp-scan, or tcpdump) uses nc as part of its scanning process.
Filter/Exclusion: process.name != "nc" OR network.destination_ip != "192.168.0.0/16"