The detection identifies potential Mirai botnet command-and-control (C2) communication through known malicious URLs, indicating an adversary may be establishing persistent remote control over infected devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Mirai botnet activity before it leads to widespread network compromise.
IOC Summary
Threat: mirai Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.233.91.26:54609/bin.sh | online | malware_download | 2026-05-18 |
hxxp://116.68.160.180:37347/i | online | malware_download | 2026-05-18 |
hxxp://116.68.160.180:37347/bin.sh | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["42.233.91.26", "116.68.160.180"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["42.233.91.26", "116.68.160.180"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool (e.g., mirai-scan) and generates temporary URLs for internal testing.
Filter/Exclusion: Exclude URLs containing the substring mirai-scan or internal-test in the URL path or query parameters.
Scenario: A scheduled job runs a network security tool like Nmap with a custom script that generates temporary URLs for scanning purposes (e.g., nmap --script http-scan).
Filter/Exclusion: Exclude URLs originating from processes associated with nmap or scripts in the /usr/local/bin directory.
Scenario: A DevOps team deploys a CI/CD pipeline using Jenkins that includes a stage for static code analysis with a tool like SonarQube, which may generate temporary URLs for artifact retrieval.
Filter/Exclusion: Exclude URLs where the domain matches internal artifact repositories (e.g., artifactory.internal.com) or where the process name includes jenkins.
Scenario: A security analyst uses a threat intelligence platform like ThreatConnect to manually input and test URLs from the URLhaus database as part of a red team exercise.
Filter/Exclusion: Exclude URLs that match the ThreatConnect internal URL pattern or are associated with the threatconnect process name.
Scenario: A system is running a legitimate security tool like CrowdStrike Falcon that generates temporary URLs for internal reporting or data exfiltration during a security incident response.
Filter/Exclusion: Exclude URLs that originate from processes with the CrowdStrike or falcon process name, or that match internal reporting domains.