The ThreatFox: Mirai IOCs rule detects potential compromise of IoT devices through exploitation of default credentials or weak configurations, which are common indicators of Mirai botnet activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage DDoS botnet infections before they escalate into large-scale attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 10 IOC Types: ip:port, url, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 179[.]43[.]182[.]70:3778 | botnet_cc | 2026-06-02 | 80% |
| ip:port | 14[.]116[.]219[.]149:2375 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 198[.]50[.]202[.]93:80 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 34[.]86[.]60[.]20:22 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 34[.]181[.]210[.]37:80 | payload_delivery | 2026-06-01 | 80% |
| url | hxxp://34[.]181[.]210[.]37/meow | payload_delivery | 2026-06-01 | 80% |
| url | hxxp://34[.]181[.]210[.]37/meowarm64 | payload_delivery | 2026-06-01 | 80% |
| ip:port | 136[.]107[.]187[.]197:22 | payload_delivery | 2026-06-01 | 80% |
| sha256_hash | 86d162d2e4ae90daad260faa7df25be2e28bc70a97d0d0548d80a670177a2739 | payload | 2026-06-01 | 85% |
| sha256_hash | 5bf67d64e94a8ed6b81a0855fee52626eb0f4caf1772518fc2404883030451c2 | payload | 2026-06-01 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["14.116.219.149", "34.86.60.20", "179.43.182.70", "34.181.210.37", "136.107.187.197", "198.50.202.93"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["14.116.219.149", "34.86.60.20", "179.43.182.70", "34.181.210.37", "136.107.187.197", "198.50.202.93"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://34.181.210.37/meow", "http://34.181.210.37/meowarm64"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Mirai
let malicious_hashes = dynamic(["86d162d2e4ae90daad260faa7df25be2e28bc70a97d0d0548d80a670177a2739", "5bf67d64e94a8ed6b81a0855fee52626eb0f4caf1772518fc2404883030451c2"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs a backup script that connects to a remote server using default credentials (e.g., root:toor) for backup purposes.
Filter/Exclusion: process.name != "backup_script.sh" OR process.args NOT LIKE "%backup%"
Scenario: Admin Access via SSH with Default Credentials
Description: A system administrator uses default SSH credentials (root:password) to access a server during routine maintenance.
Filter/Exclusion: user.name != "root" OR process.name != "ssh"
Scenario: Log Collection via Fluentd with Default Credentials
Description: A log aggregation tool like Fluentd is configured to connect to a remote logging server using default credentials for centralized logging.
Filter/Exclusion: process.name != "fluentd" OR process.args NOT LIKE "%logstash%"
Scenario: IoT Device Firmware Update via TFTP
Description: A legitimate firmware update process uses TFTP to transfer updates to IoT devices, which may involve default credentials or weak configurations.
Filter/Exclusion: process.name != "tftpd" OR process.args NOT LIKE "%firmware%"
Scenario: Internal Monitoring Tool with Default Credentials
Description: An internal monitoring tool like Zabbix or Nagios is configured with default credentials for monitoring network devices.
Filter/Exclusion: process.name NOT IN ("zabbix_agentd", "nagios") OR user.name != "admin"