The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they spread across the network.
IOC Summary
Malware Family: Mirai Total IOCs: 2 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 176[.]65[.]139[.]7:3778 | botnet_cc | 2026-05-20 | 80% |
| domain | tvt.miraibotnet.su | payload_delivery | 2026-05-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["176.65.139.7"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.139.7"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["tvt.miraibotnet.su"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using nc (Netcat)
Description: A legitimate system backup process uses nc to transfer data over the network.
Filter/Exclusion: Exclude processes where nc is used with known backup IP ranges or during scheduled backup windows (e.g., process.command_line LIKE '%nc -z 192.168.1.100%' AND timestamp BETWEEN '2025-04-01 02:00:00' AND '2025-04-01 04:00:00').
Scenario: Admin Task Using nc for Remote Management
Description: An admin uses nc to remotely manage a server or perform diagnostics.
Filter/Exclusion: Exclude processes initiated by admin users (e.g., process.user = 'root' OR process.user = 'admin') or where nc is used with known management IPs (e.g., process.command_line LIKE '%nc -z 10.0.0.5%').
Scenario: Log Collection Using nc with a SIEM Server
Description: A log collection agent uses nc to send logs to a SIEM server.
Filter/Exclusion: Exclude traffic to known SIEM IP addresses (e.g., destination_ip = '10.10.10.10') or processes associated with log collection tools like Fluentd or Logstash.
Scenario: Network Monitoring Tool Using nc for Port Scanning
Description: A network monitoring tool like nmap or tcpdump uses nc for port scanning or packet analysis.
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g.,