Devices exhibiting signs of Mirai malware infection, such as unusual outbound traffic patterns and failed login attempts, may indicate compromised IoT devices being used in a botnet, requiring proactive hunting to identify and isolate affected systems before they contribute to large-scale DDoS attacks. SOC teams should actively hunt for these indicators in Azure Sentinel to detect and mitigate Mirai-based threats early, preventing potential network disruption and service outages.
IOC Summary
Malware Family: Mirai Total IOCs: 6 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]65[.]139[.]199:1999 | botnet_cc | 2026-05-23 | 80% |
| ip:port | 45[.]148[.]10[.]210:80 | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://45[.]148[.]10[.]210/hostmane | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://45[.]148[.]10[.]210/blackbih | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://45[.]148[.]10[.]210/blackboi | payload_delivery | 2026-05-23 | 85% |
| url | hxxp://45[.]148[.]10[.]210/listener | payload_delivery | 2026-05-23 | 85% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["176.65.139.199", "45.148.10.210"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.139.199", "45.148.10.210"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://45.148.10.210/hostmane", "http://45.148.10.210/blackbih", "http://45.148.10.210/blackboi", "http://45.148.10.210/listener"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A system administrator schedules regular backups using rsync to a remote server, which may trigger the rule due to network activity resembling C2 communication.
Filter/Exclusion: Exclude rsync processes with destination IPs matching known backup servers or internal network ranges.
Scenario: Admin Task: sudo apt update && apt upgrade
Description: A system administrator runs a standard package update command on a Linux server, which may be flagged due to high network activity or unexpected process execution.
Filter/Exclusion: Exclude processes initiated by root or users with sudo privileges during scheduled maintenance windows.
Scenario: Log Collection via rsyslog to SIEM
Description: A security information and event management (SIEM) system collects logs from multiple hosts using rsyslog, which may trigger the rule due to outbound traffic.
Filter/Exclusion: Exclude traffic from the log collector server to known SIEM IP addresses or internal log aggregation systems.
Scenario: IoT Device Firmware Update via curl
Description: A legitimate firmware update process for an IoT device uses curl to download updates from a trusted internal repository, which may be flagged as suspicious.
Filter/Exclusion: Exclude curl commands targeting internal update servers or using known firmware update URLs.
Scenario: Cron Job for System Monitoring with nmap
Description: A cron job runs nmap to scan internal network segments for open ports as part of routine security monitoring, which may be flagged due to network scanning behavior.
Filter/Exclusion: Exclude nmap scans originating from monitoring hosts and targeting internal IP ranges or known internal services.