The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]245[.]27[.]100:80 | payload_delivery | 2026-06-13 | 100% |
| ip:port | 152[.]236[.]6[.]8:28291 | botnet_cc | 2026-06-13 | 100% |
| domain | vbotnt1.duckdns.org | botnet_cc | 2026-06-13 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["152.236.6.8", "103.245.27.100"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["152.236.6.8", "103.245.27.100"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["vbotnt1.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using apt or yum that includes Mirai-related binaries or scripts
Filter/Exclusion: Check for presence of apt or yum in the command line, and filter out known system update packages (e.g., mirai or mirai-binaries if they are legitimate in the environment).
Scenario: Scheduled job for log rotation or system cleanup using logrotate or cron that executes scripts containing Mirai IOCs
Filter/Exclusion: Exclude commands executed via cron or logrotate and verify if the script paths are part of standard system maintenance tools.
Scenario: Admin task to configure network devices using netcat or nc for testing purposes
Filter/Exclusion: Filter out usage of netcat or nc when executed by admin users with elevated privileges and within known network testing scripts.
Scenario: Security tool or SIEM configuration using tcpdump or Wireshark for packet capture and analysis
Filter/Exclusion: Exclude commands involving tcpdump or Wireshark when run by security teams for legitimate packet analysis tasks.
Scenario: Development environment using docker or kubernetes that includes containers with Mirai-related artifacts for testing
Filter/Exclusion: Filter out container-related activities (e.g., docker run, kubectl) and check if the container images are part of a known development or testing environment.