The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ongoing botnet infections before they cause widespread network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 10 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | 00000l.nvms9000.su | botnet_cc | 2026-06-08 | 100% |
| domain | horizon.nvms9000updates.su | botnet_cc | 2026-06-08 | 100% |
| domain | 000.nvms9000.su | botnet_cc | 2026-06-08 | 100% |
| domain | 0000.nvms9000.su | botnet_cc | 2026-06-08 | 100% |
| domain | 000.hikvision-cctv.su | botnet_cc | 2026-06-08 | 100% |
| domain | 0000.hikvision-cctv.su | botnet_cc | 2026-06-08 | 100% |
| domain | 00000.hikvision-cctv.su | botnet_cc | 2026-06-08 | 100% |
| domain | 0000g7bd7.hikvision-cctv.su | botnet_cc | 2026-06-08 | 100% |
| domain | botdealers.st | botnet_cc | 2026-06-08 | 100% |
| domain | kys.botdealers.st | botnet_cc | 2026-06-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["00000l.nvms9000.su", "horizon.nvms9000updates.su", "000.nvms9000.su", "0000.nvms9000.su", "000.hikvision-cctv.su", "0000.hikvision-cctv.su", "00000.hikvision-cctv.su", "0000g7bd7.hikvision-cctv.su", "botdealers.st", "kys.botdealers.st"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar or rsync
Description: A legitimate scheduled backup job using tar or rsync may include command-line arguments that resemble Mirai IOCs (e.g., --exclude with suspicious paths).
Filter/Exclusion: Exclude processes initiated by the root user or those matching ^/usr/bin/tar$ or ^/usr/bin/rsync$ with --exclude in the command line.
Scenario: Admin Task Using nc for Network Monitoring
Description: System administrators may use nc (netcat) to test network connectivity or monitor ports, which could trigger the Mirai IOC detection if the command includes IP addresses or ports associated with Mirai.
Filter/Exclusion: Exclude processes with the nc command that are initiated by users in the sudo group or have the --listen or --udp flags.
Scenario: Logrotate Job with gzip or bzip2
Description: The logrotate utility may use gzip or bzip2 to compress log files, and the command-line arguments may include paths or options that match Mirai IOCs.
Filter/Exclusion: Exclude processes with the logrotate command or those using gzip/bzip2 in the /etc/logrotate.d/ directory.
Scenario: Cron Job for System Monitoring with nmap
Description: A cron job that runs nmap to scan internal networks for open ports may trigger the Mirai rule if it includes IP ranges or ports that match known Mirai C2 patterns.
Filter/Exclusion: Exclude nmap processes that are initiated by the root user and have a script or command line that includes