The hypothesis is that the detection rule identifies potential Mirai Satori malware activity by monitoring for suspicious network behavior indicative of botnet communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by IoT-based botnets.
YARA Rule
rule Mirai_Satori {
meta:
description = "Detects Mirai Satori MALW"
date = "2018-01-09"
strings:
$hexsts01 = { 63 71 75 ?? 62 6B 77 62 75 }
$hexsts02 = { 53 54 68 72 75 64 62 }
$hexsts03 = { 28 63 62 71 28 70 66 73 64 6F 63 68 60 }
condition:
all of them
and is__elf
and is__Mirai_gen7
and is__Mirai_Satori_gen
and filesize < 100KB
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system backup using rsync
Filter/Exclusion: Exclude traffic from the backup server’s IP address or filter by process.name = "rsync" and destination.port = 873
Scenario: Admin performing a manual DNS zone transfer using dig
Filter/Exclusion: Exclude traffic where process.name = "dig" and destination.port = 53 with dns.query.type = "AXFR"
Scenario: Automated log rotation job using logrotate
Filter/Exclusion: Exclude processes with process.name = "logrotate" and filter by destination.path containing /var/log/
Scenario: Database replication using mysqldump
Filter/Exclusion: Exclude traffic from the database replication server and filter by process.name = "mysqldump" with destination.port = 3306
Scenario: Network monitoring tool like nmap performing a scan for security assessment
Filter/Exclusion: Exclude traffic from the internal security team’s IP range and filter by process.name = "nmap" with source.ip = "10.0.0.0/24"