The hypothesis is that the detection rule identifies potential Mirai Variant 4 botnet activity through unusual network traffic patterns indicative of distributed denial-of-service attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they cause widespread disruption.
YARA Rule
rule Mirai_4 : MALW
{
meta:
description = "Mirai Variant 4"
author = "Joan Soriano / @joanbtl"
date = "2017-04-16"
version = "1.0"
MD5 = "f832ef7a4fcd252463adddfa14db43fb"
SHA1 = "4455d237aadaf28aafce57097144beac92e55110"
strings:
$s1 = "210765"
$s2 = "qllw"
$s3 = ";;;;;;"
condition:
$s1 and $s2 and $s3
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: System backup process using rsync or tar that generates a high volume of connection attempts to internal servers.
Filter/Exclusion: process.name IN (rsync, tar, scp) OR destination.ip IN (internal_network_range)
Scenario: Scheduled job running nmap for network discovery or vulnerability scanning on internal segments.
Filter/Exclusion: process.name = nmap AND destination.ip IN (internal_network_range) AND timestamp BETWEEN (job_schedule_start AND job_schedule_end)
Scenario: Admin task involving telnet or nc (netcat) for testing connectivity or port availability on internal hosts.
Filter/Exclusion: process.name IN (telnet, nc) AND destination.ip IN (internal_network_range) AND user.name IN (admin_users)
Scenario: Logrotate or similar utility that temporarily opens connections to log servers or internal databases.
Filter/Exclusion: process.name IN (logrotate, syslog-ng, rsyslog) OR destination.ip IN (log_server_ip_range)
Scenario: Automated script or CI/CD pipeline using curl or wget to fetch dependencies from internal artifact repositories.
Filter/Exclusion: process.name IN (curl, wget, git) AND destination.ip IN (internal_artifact_repo_range) OR user.name IN (ci_cd_users)