The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 2 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 194[.]48[.]251[.]24:80 | botnet_cc | 2026-06-19 | 75% |
| sha256_hash | f253a4f1afdd89847bbe27defbc46043d73391d1d624752d457505489b5e3f05 | payload | 2026-06-19 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["194.48.251.24"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.48.251.24"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Mirai
let malicious_hashes = dynamic(["f253a4f1afdd89847bbe27defbc46043d73391d1d624752d457505489b5e3f05"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using netstat to check for open ports during routine maintenance.
Filter/Exclusion: Exclude processes with netstat in the command line or filter by user root or admin accounts.
Scenario: A scheduled job runs crontab to execute a backup script that temporarily opens port 7000 for internal communication.
Filter/Exclusion: Exclude processes with crontab in the command line or filter by process names like backup_script.sh.
Scenario: A devops tool like Ansible is used to deploy configurations, and one of the tasks involves nc (netcat) to test connectivity between servers.
Filter/Exclusion: Exclude processes containing nc or netcat in the command line, or filter by Ansible-related process names.
Scenario: A log aggregation tool like Fluentd is configured to use tcpdump to capture network traffic for analysis.
Filter/Exclusion: Exclude processes with tcpdump in the command line or filter by the user running the log aggregation service.
Scenario: A CI/CD pipeline (e.g., Jenkins) is using telnet to verify connectivity to a service during pipeline execution.
Filter/Exclusion: Exclude processes with telnet in the command line or filter by Jenkins-related process names or user IDs.