The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with command-and-control communication and distributed denial-of-service attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they cause widespread network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]39[.]216[.]137:8083 | payload_delivery | 2026-06-14 | 100% |
| ip:port | 5[.]39[.]216[.]137:8082 | payload_delivery | 2026-06-14 | 100% |
| ip:port | 5[.]175[.]215[.]102:456 | payload_delivery | 2026-06-14 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["5.39.216.137", "5.175.215.102"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.39.216.137", "5.175.215.102"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar
Description: A legitimate scheduled job uses tar to back up system files, which may include paths or commands similar to Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes /bin/tar or paths like /usr/bin/tar and contains the word backup.
Scenario: Admin Task Using nc for Remote Management
Description: A system administrator uses nc (netcat) to remotely manage a server, which could be flagged due to its association with Mirai.
Filter/Exclusion: Exclude processes where the user is a root/administrator and the command includes -z or -w flags used for remote management.
Scenario: Log Collection Using rsync
Description: A legitimate log collection process uses rsync to transfer logs between servers, which may trigger the rule due to the presence of rsync in the IOC list.
Filter/Exclusion: Exclude processes where the command includes rsync and the destination is a known log server or internal network IP.
Scenario: Network Monitoring with nmap
Description: A security team uses nmap to scan internal networks for open ports, which may be flagged due to the presence of nmap in the IOC list.
Filter/Exclusion: Exclude processes where the command includes nmap and the target IP range is within the internal network CIDR block.
Scenario: Cron Job for System Updates
Description: A cron job runs apt or yum to update packages, which may include paths or commands similar to Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes apt or yum and the user is a root