The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying indicators of compromise associated with IoT device compromise and DDoS command-and-control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they contribute to large-scale DDoS attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 4 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]131[.]108[.]107:1302 | botnet_cc | 2026-04-24 | 80% |
| ip:port | 45[.]135[.]193[.]118:1995 | botnet_cc | 2026-04-24 | 80% |
| ip:port | 176[.]65[.]148[.]212:38241 | botnet_cc | 2026-04-24 | 80% |
| domain | 176[.]65[.]148[.]212.ptr.pfcloud.network | botnet_cc | 2026-04-24 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["176.65.148.212", "45.131.108.107", "45.135.193.118"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.148.212", "45.131.108.107", "45.135.193.118"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["176.65.148.212.ptr.pfcloud.network"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses nc (Netcat) to transfer backup data over the network.
Filter/Exclusion: Exclude processes initiated by the backup service (e.g., backupd, rsyslog, or cron jobs with known backup scripts).
Scenario: Remote Administration Tool (RAT) Usage
Description: An IT admin uses a RAT like TeamViewer or AnyDesk to remotely manage IoT devices, which may trigger network connection alerts.
Filter/Exclusion: Exclude connections initiated by known remote management tools (e.g., teamviewer, anydesk, or vncviewer).
Scenario: Network Monitoring Tool Traffic
Description: A network monitoring tool like Wireshark or tcpdump is capturing and analyzing network traffic, which may include connections resembling Mirai C2 communication.
Filter/Exclusion: Exclude traffic originating from or destined for the monitoring tool’s IP address or process ID.
Scenario: IoT Device Firmware Update
Description: A firmware update process for IoT devices uses nc to communicate with a server for update payloads.
Filter/Exclusion: Exclude traffic associated with known firmware update servers or processes related to device management systems (e.g., update-agent, ota-update).
Scenario: Admin Task with Netcat for Debugging
Description: A system administrator uses nc to test network connectivity or debug a service, which may be flagged as suspicious.
Filter/Exclusion: Exclude nc usage by admin users (e.g., root, admin, or sudo) during known maintenance windows or script execution.