The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]29[.]73[.]187:56523 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 83[.]168[.]110[.]191:1336 | botnet_cc | 2026-06-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["154.29.73.187", "83.168.110.191"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.29.73.187", "83.168.110.191"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using nc (Netcat)
Description: A legitimate system backup process uses nc to transfer data over the network.
Filter/Exclusion: process.name = "nc" AND process.args NOT LIKE "%backup%" AND process.args NOT LIKE "%transfer%"
Scenario: Admin Task Using nc for Remote Debugging
Description: An administrator uses nc to debug a remote service or application.
Filter/Exclusion: process.name = "nc" AND user.name = "admin" AND process.args LIKE "%debug%"
Scenario: Cron Job Running nc for Monitoring Purposes
Description: A cron job uses nc to monitor network connectivity or service status.
Filter/Exclusion: process.name = "nc" AND process.args LIKE "%monitor%" AND event.type = "cron"
Scenario: Log Collection Using nc with rsyslog or syslog-ng
Description: A log collection tool like rsyslog or syslog-ng uses nc to send logs to a central server.
Filter/Exclusion: process.name = "nc" AND process.parent.name IN ("rsyslog", "syslog-ng")
Scenario: Network Discovery Tool Using nc for Port Scanning
Description: A network discovery tool like nmap or masscan uses nc for port scanning.
Filter/Exclusion: process.name = "nc" AND process.parent.name IN ("nmap", "masscan")