The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://176[.]65[.]139[.]151/Sakura.sh | payload_delivery | 2026-06-07 | 90% |
| ip:port | 169[.]239[.]130[.]20:80 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 176[.]65[.]139[.]126:2701 | botnet_cc | 2026-06-07 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["176.65.139.126", "169.239.130.20"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.139.126", "169.239.130.20"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://176.65.139.151/Sakura.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar and rsync
Description: A legitimate scheduled backup job uses tar and rsync to archive and transfer system files, which may match Mirai-related IOCs.
Filter/Exclusion: Exclude processes initiated by the root user with crontab or systemd service names, or filter by command-line arguments containing backup, archive, or restore.
Scenario: Admin Task Using nc for Remote Management
Description: A system administrator uses nc (netcat) to remotely manage a server, which could be flagged as a Mirai IOC.
Filter/Exclusion: Exclude processes with user IDs matching admin accounts (e.g., root, admin, sudo) and filter by command-line arguments containing ssh, telnet, or remote management.
Scenario: Log Collection Using tcpdump and nc
Description: A log aggregation system uses tcpdump to capture network traffic and nc to send logs to a central server, which may trigger Mirai-related IOCs.
Filter/Exclusion: Exclude processes with tcpdump or nc that are part of a known log collection tool (e.g., Fluentd, Logstash) or have destination IPs matching internal log servers.
Scenario: Docker Container Management with docker exec and nc
Description: A DevOps engineer uses docker exec to run commands inside a container, which may include nc for internal communication, triggering Mirai IOCs.
Filter/Exclusion: Exclude processes running within Docker containers and filter by container IDs or names associated with known DevOps tools (e.g., jenkins, k8s, docker-compose).
**