The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 94[.]103[.]188[.]207:420 | botnet_cc | 2026-04-18 | 80% |
| ip:port | 54[.]37[.]207[.]204:3778 | botnet_cc | 2026-04-18 | 80% |
| ip:port | 176[.]65[.]139[.]253:9506 | botnet_cc | 2026-04-18 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["94.103.188.207", "176.65.139.253", "54.37.207.204"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.103.188.207", "176.65.139.253", "54.37.207.204"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar
Description: A legitimate scheduled backup job uses tar to archive system files, which may include paths or commands resembling Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes tar and the path contains /backup/ or /system/.
Scenario: Admin Task Using nc for Remote Management
Description: A system administrator uses nc (Netcat) to remotely manage a server, which may trigger the Mirai IOC detection due to the presence of nc in the command line.
Filter/Exclusion: Exclude processes where the user is a root/admin and the command line includes -z or -w flags used for remote management.
Scenario: Log Rotation Using logrotate
Description: The logrotate utility is used to rotate and compress log files, which may include commands that resemble Mirai IOCs.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the path contains /etc/logrotate.d/.
Scenario: Cron Job for Network Monitoring with nmap
Description: A cron job runs nmap to periodically scan internal networks for connectivity issues, which may trigger Mirai IOC detection due to the presence of nmap.
Filter/Exclusion: Exclude processes where the command line includes nmap and the target IP range is within the internal subnet (e.g., 192.168.0.0/16).
Scenario: Docker Container Management Using docker
Description: A Docker container is being managed using the docker CLI, which may include commands that match Mirai IOC patterns.
Filter/Exclusion: Exclude processes where the command line includes `docker