Mirai Variant 1

Hunt Hypothesis

Devices with unusual outbound DNS queries to known Mirai botnet command and control servers may indicate the presence of a Mirai variant, as these queries are commonly used for C2 communication, and proactive hunting can help identify and mitigate compromised IoT devices before they are used in large-scale DDoS attacks. SOC teams should actively hunt for this behavior in Azure Sentinel to detect and respond to potential botnet activity early, reducing the risk of network compromise and service disruption.

YARA Rule

rule Mirai_1 : MALW
{
	meta:
		description = "Mirai Variant 1"
		author = "Joan Soriano / @joanbtl"
		date = "2017-04-16"
		version = "1.0"
		MD5 = "655c3cf460489a7d032c37cd5b84a3a8"
		SHA1 = "4dd3803956bc31c8c7c504734bddec47a1b57d58"

	strings:
		$dir1 = "/dev/watchdog"
		$dir2 = "/dev/misc/watchdog"
		$pass1 = "PMMV"
		$pass2 = "FGDCWNV"
		$pass3 = "OMVJGP"
	condition:
		$dir1 and $pass1 and $pass2 and not $pass3 and not $dir2

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using rsync
  Description: A legitimate scheduled backup job using rsync may trigger the rule due to the use of rsync in the process tree.
  Filter/Exclusion: Exclude processes where the command line includes rsync and the parent process is a known backup service (e.g., cron, systemd-timedated, or backupd).

• Scenario: Admin Task Using nc for Network Testing
  Description: A system administrator may use nc (netcat) to test network connectivity or port availability, which could be flagged by the rule.
  Filter/Exclusion: Exclude processes where the command line includes -z (for port scanning) or -w (timeout), and the user is a privileged admin (e.g., root or sudo).

• Scenario: Log Collection Using tcpdump
  Description: A log collection or monitoring tool like tcpdump may be running to capture network traffic, which could be mistaken for a Mirai botnet activity.
  Filter/Exclusion: Exclude processes where the command line includes tcpdump and the output is directed to a log server or storage location (e.g., | tee /var/log/tcpdump.log).

• Scenario: CI/CD Pipeline Using curl for Artifact Download
  Description: A CI/CD pipeline may use curl to download artifacts from a private registry, which could be flagged due to the use of curl in the process tree.
  Filter/Exclusion: Exclude processes where the command line includes a known CI/CD tool (e.g., git, docker, or jenkins) and the URL matches a known artifact repository.

• **Scenario: Security Tool Using nmap for Vulnerability Scan