The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with IoT device compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate botnet infections before they contribute to distributed denial-of-service (DDoS) attacks or network compromise.
IOC Summary
Malware Family: Mirai Total IOCs: 15 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]202[.]249[.]34:80 | payload_delivery | 2026-06-04 | 80% |
| url | hxxp://45[.]202[.]249[.]34/dck | payload_delivery | 2026-06-04 | 80% |
| ip:port | 113[.]214[.]18[.]234:2375 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 14[.]154[.]200[.]202:2375 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 185[.]180[.]141[.]42:2375 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 47[.]86[.]55[.]200:22 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 107[.]151[.]233[.]216:22 | payload_delivery | 2026-06-04 | 80% |
| ip:port | 92[.]42[.]100[.]131:4569 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 192[.]159[.]99[.]196:4569 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 185[.]244[.]182[.]35:14569 | botnet_cc | 2026-06-04 | 100% |
| domain | nvms.miraibotnet.su | botnet_cc | 2026-06-04 | 100% |
| domain | tvt.miraibotnet.su | botnet_cc | 2026-06-04 | 100% |
| domain | tvt.oceanic-node.su | botnet_cc | 2026-06-04 | 100% |
| domain | sopa1805.duckdns.org | botnet_cc | 2026-06-04 | 100% |
| ip:port | 194[.]48[.]251[.]83:8080 | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["113.214.18.234", "47.86.55.200", "194.48.251.83", "92.42.100.131", "185.180.141.42", "45.202.249.34", "14.154.200.202", "107.151.233.216", "185.244.182.35", "192.159.99.196"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["113.214.18.234", "47.86.55.200", "194.48.251.83", "92.42.100.131", "185.180.141.42", "45.202.249.34", "14.154.200.202", "107.151.233.216", "185.244.182.35", "192.159.99.196"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["nvms.miraibotnet.su", "tvt.miraibotnet.su", "tvt.oceanic-node.su", "sopa1805.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://45.202.249.34/dck"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using rsync or tar is executing on a server, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Exclude processes initiated by the cron daemon and containing the string backup or rsync in the command line.
Scenario: Admin Task – Firmware Update via SSH
Description: An administrator is manually updating firmware on an IoT device using SSH, which may resemble Mirai’s exploitation patterns.
Filter/Exclusion: Exclude SSH sessions where the user is a known admin (e.g., root, admin) and the command includes firmware or update.
Scenario: Log Analysis Tool Processing Logs
Description: A log analysis tool like ELK Stack or Splunk is parsing system logs and may trigger the rule due to matching log entries.
Filter/Exclusion: Exclude processes related to logstash, splunkd, or kibana and filter out log-related activities.
Scenario: Network Device Configuration via CLI
Description: A network administrator is configuring a router or switch using CLI commands, which may include terms like telnet, ssh, or config.
Filter/Exclusion: Exclude processes initiated by sudo or su and filter out CLI commands associated with network device configuration (e.g., configure terminal, interface).
Scenario: IoT Device Firmware Signing Process
Description: A legitimate firmware signing process using tools like openssl or gpg is occurring, which may include similar command-line arguments.
Filter/Exclusion: Exclude processes involving openssl, gpg, or sign in the command line and filter out activities related to cryptographic operations.