The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious artifacts associated with the compromise of IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ongoing botnet infections and prevent distributed denial-of-service (DDoS) attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 152[.]236[.]7[.]10:27177 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 217[.]60[.]195[.]144:1999 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 194[.]48[.]251[.]24:80 | botnet_cc | 2026-06-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["194.48.251.24", "152.236.7.10", "217.60.195.144"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.48.251.24", "152.236.7.10", "217.60.195.144"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using nc (Netcat)
Description: A legitimate system backup process uses nc to transfer backup files over the network.
Filter/Exclusion: Exclude processes where nc is used with backup-related command-line arguments such as --backup or --transfer, or filter by user backup or sysadmin.
Scenario: Network Monitoring Tool Using nc for Traffic Analysis
Description: A network monitoring tool like nmap or tcpdump uses nc to analyze network traffic for diagnostic purposes.
Filter/Exclusion: Exclude processes where nc is used in conjunction with nmap, tcpdump, or wireshark, or filter by process name or command-line arguments related to monitoring.
Scenario: Admin Task to Test Port Connectivity Using nc
Description: A system administrator uses nc to test if a port is open on a remote server as part of routine maintenance.
Filter/Exclusion: Exclude processes where nc is used with options like -z (zero-I/O mode) or --test, or filter by user root or admin.
Scenario: Cron Job for Log Rotation Using nc for Remote Logging
Description: A cron job configured to rotate logs and send them to a remote server using nc for log aggregation.
Filter/Exclusion: Exclude processes where nc is used with log-related command-line arguments such as --log or --rotate, or filter by cron job name or user logrotate.
Scenario: Internal Tool for Internal Communication Using nc
Description: An internal tool or service uses nc to communicate between internal systems for internal data synchronization or status checks.
Filter/Exclusion: