The ThreatFox: Mirai IOCs rule detects potential compromise indicators linked to the Mirai botnet, which is known for deploying large-scale DDoS attacks. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage Mirai infections before they can be leveraged for widespread network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 5 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]196[.]41[.]201:7777 | botnet_cc | 2026-06-16 | 75% |
| domain | dnsduc1k.duckdns.org | botnet_cc | 2026-06-16 | 100% |
| ip:port | 192[.]159[.]99[.]110:2049 | payload_delivery | 2026-06-15 | 100% |
| ip:port | 124[.]198[.]131[.]252:2049 | payload_delivery | 2026-06-15 | 100% |
| ip:port | 92[.]42[.]100[.]131:4568 | payload_delivery | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["124.198.131.252", "92.42.100.131", "185.196.41.201", "192.159.99.110"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.198.131.252", "92.42.100.131", "185.196.41.201", "192.159.99.110"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["dnsduc1k.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using tar or rsync that includes /etc directory
Filter/Exclusion: Exclude processes where the command line includes tar -czf or rsync --exclude
Scenario: Admin task to update system packages using apt or yum that temporarily accesses /etc
Filter/Exclusion: Exclude processes with apt update or yum check-update in the command line
Scenario: Logrotate job that processes log files in /var/log and accesses /etc/logrotate.d
Filter/Exclusion: Exclude processes with logrotate in the command line and /etc/logrotate.d/ in the path
Scenario: Network configuration tool like nmcli or ip that modifies routing tables or interface settings
Filter/Exclusion: Exclude processes with nmcli or ip route in the command line
Scenario: System monitoring tool like nagios or zabbix that checks service status and accesses /etc/init.d
Filter/Exclusion: Exclude processes with nagios or zabbix_agentd in the command line and /etc/init.d/ in the path