The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate large-scale DDoS attacks and lateral movement within their network.
IOC Summary
Malware Family: Mirai Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]65[.]139[.]144:80 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 101[.]47[.]8[.]187:80 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 176[.]65[.]149[.]124:3778 | botnet_cc | 2026-06-01 | 80% |
| domain | 176[.]65[.]149[.]124.ptr.pfcloud.network | botnet_cc | 2026-06-01 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["176.65.149.124", "176.65.139.144", "101.47.8.187"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.149.124", "176.65.139.144", "101.47.8.187"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["176.65.149.124.ptr.pfcloud.network"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using apt or yum that includes known Mirai-related packages or dependencies
Filter/Exclusion: Exclude processes initiated by package managers (apt, yum, dnf) or during scheduled maintenance windows.
Scenario: Scheduled backup job using rsync or tar that transfers files containing Mirai-related strings in log files or configuration files
Filter/Exclusion: Exclude processes associated with backup tools (rsync, tar, backup.sh) or during known backup windows.
Scenario: Admin task involving netstat or nmap for network diagnostics that includes IP addresses or ports associated with Mirai
Filter/Exclusion: Exclude processes initiated by network diagnostic tools (netstat, nmap, tcpdump) or during routine network monitoring.
Scenario: Log analysis tool like logrotate or ELK stack processing logs that contain Mirai-related keywords due to log formatting or parsing rules
Filter/Exclusion: Exclude processes related to log management tools (logrotate, logstash, filebeat) or logs generated by log analysis workflows.
Scenario: DevOps pipeline using Jenkins or GitLab CI that includes a script or job with Mirai-related strings in the source code or configuration
Filter/Exclusion: Exclude processes initiated by CI/CD tools (Jenkins, GitLab CI, GitHub Actions) or during automated build/deploy stages.