The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with this IoT-focused malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate compromised IoT devices before they are used in large-scale DDoS attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 5 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]65[.]139[.]50:443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 104[.]143[.]206[.]116:80 | botnet_cc | 2026-06-10 | 75% |
| url | hxxp://217[.]60[.]195[.]70:8080/x86 | payload_delivery | 2026-06-10 | 85% |
| ip:port | 93[.]95[.]115[.]186:49384 | botnet_cc | 2026-06-10 | 100% |
| ip:port | 154[.]29[.]73[.]187:27615 | botnet_cc | 2026-06-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["93.95.115.186", "104.143.206.116", "176.65.139.50", "154.29.73.187"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["93.95.115.186", "104.143.206.116", "176.65.139.50", "154.29.73.187"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://217.60.195.70:8080/x86"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar and gzip
Description: A legitimate system backup process uses tar and gzip to archive and compress logs, which may match Mirai-related IOCs.
Filter/Exclusion: Exclude processes where the command line includes /usr/bin/tar or /bin/gzip and the destination path is within a known backup directory (e.g., /var/backups/).
Scenario: Admin Task Using nc for Network Monitoring
Description: A system administrator uses nc (netcat) to monitor network traffic or test connectivity, which could be flagged as a Mirai IOC.
Filter/Exclusion: Exclude processes where the user is a root/admin and the command includes options like -z (for port scanning) or -w (for timeout), or the destination IP is a known internal network.
Scenario: Log Rotation Using logrotate
Description: The logrotate utility is used to rotate and compress log files, which may include commands that resemble Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/logrotate and the log files are located in standard log directories (e.g., /var/log/).
Scenario: Cron Job for System Maintenance
Description: A cron job runs a script that includes commands like nc or wget for system diagnostics or updates, which could be flagged as Mirai-related.
Filter/Exclusion: Exclude processes where the command is executed via cron and the script path is within a known system maintenance directory (e.g., /etc/cron.d/ or /opt/maintenance/).
Scenario: DevOps Pipeline Using curl for API Calls
Description: A CI/CD pipeline uses `curl