The ThreatFox: Mirai IOCs rule detects potential indicators of compromise associated with the Mirai botnet, which is commonly used to compromise IoT devices for DDoS attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they are leveraged for large-scale network disruption.
IOC Summary
Malware Family: Mirai Total IOCs: 3 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | bugcnc.cw0.cc | botnet_cc | 2026-05-17 | 100% |
| ip:port | 43[.]251[.]116[.]156:19658 | botnet_cc | 2026-05-17 | 100% |
| domain | bigyahu.fans | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["43.251.116.156"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.251.116.156"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["bugcnc.cw0.cc", "bigyahu.fans"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System backup or restore process using rsync or tar that includes IoT device configuration files
Filter/Exclusion: Exclude processes initiated by backup tools like rsync, tar, or backupd with known backup directories.
Scenario: Scheduled job running nmap for network discovery or vulnerability scanning
Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., cron, at, or task scheduler) with nmap and known scan targets.
Scenario: Admin task to update firmware on IoT devices using scp or sftp
Filter/Exclusion: Exclude processes involving scp, sftp, or rsync that originate from known admin tools or update management systems like Ansible or Puppet.
Scenario: Log analysis tool like logrotate or splunk processing logs from IoT devices
Filter/Exclusion: Exclude processes associated with log management tools or log rotation scripts that are known to handle IoT device logs.
Scenario: Network monitoring tool like tcpdump or Wireshark capturing traffic for analysis
Filter/Exclusion: Exclude processes initiated by network monitoring tools or packet capture utilities with known capture directories or user IDs.