The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ongoing botnet infections and prevent distributed denial-of-service (DDoS) attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 11 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | b[.]9-9-8.com | botnet_cc | 2026-05-31 | 80% |
| url | hxxp://b[.]9-9-8.com/t.sh | payload_delivery | 2026-05-31 | 80% |
| ip:port | 77[.]110[.]113[.]215:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 141[.]98[.]234[.]105:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 172[.]237[.]61[.]86:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 172[.]234[.]180[.]158:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 50[.]116[.]37[.]108:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 172[.]235[.]15[.]161:39419 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 5[.]175[.]223[.]69:8082 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 87[.]120[.]92[.]182:1999 | botnet_cc | 2026-05-31 | 80% |
| domain | cafebabe.su | botnet_cc | 2026-05-31 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["172.237.61.86", "87.120.92.182", "5.175.223.69", "141.98.234.105", "172.235.15.161", "50.116.37.108", "172.234.180.158", "77.110.113.215"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.237.61.86", "87.120.92.182", "5.175.223.69", "141.98.234.105", "172.235.15.161", "50.116.37.108", "172.234.180.158", "77.110.113.215"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["b.9-9-8.com", "cafebabe.su"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://b.9-9-8.com/t.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using tar or rsync
Description: A legitimate scheduled backup job uses tar or rsync to archive system files, which may include suspicious command-line arguments or file paths similar to Mirai IOCs.
Filter/Exclusion: Exclude processes initiated by the system’s backup scheduler (e.g., cron job with /etc/cron.daily/backup.sh) or filter by process name tar/rsync with a whitelist of known backup directories.
Scenario: Admin Task Using nc for Network Diagnostics
Description: A system administrator uses nc (netcat) to test network connectivity or port availability, which may be flagged due to its association with Mirai.
Filter/Exclusion: Exclude processes initiated by root or admin users with a known command pattern (e.g., nc -zv <IP> <PORT>) or filter by user ID (e.g., uid=0 or uid=1000).
Scenario: Log Rotation Using logrotate
Description: The logrotate utility may generate temporary files or use commands that resemble Mirai IOCs during log rotation tasks.
Filter/Exclusion: Exclude processes with the command line containing /usr/sbin/logrotate or filter by process name logrotate with a known configuration path.
Scenario: Docker Container Management Using docker CLI
Description: A DevOps engineer uses the docker CLI to manage containers, which may include commands that match Mirai-related IOCs (e.g., docker run, docker ps).
Filter/Exclusion: Exclude processes with the command line containing docker and filter by user (e.g., uid=1000 or user=devops) or