The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying indicators of compromise associated with IoT device scanning and credential exploitation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they are used in large-scale DDoS attacks.
IOC Summary
Malware Family: Mirai Total IOCs: 24 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://nova.podril1ak2.online/nova.sh | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.armv6l | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.armv5l | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.i686 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.mipsel | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.powerpc | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.armv7l | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.x86_64 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.i586 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.armv4l | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.sh4 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://nova.podril1ak2.online/bins/nova.mips | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/ppc | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/spc | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/arm | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/mips | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/sh4 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/x86 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/arm6 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/m68k | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/mpsl | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/arm7 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/x86_64 | payload_delivery | 2026-05-27 | 100% |
| url | hxxp://api.ddenv.site/arm5 | payload_delivery | 2026-05-27 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://nova.podril1ak2.online/nova.sh", "http://nova.podril1ak2.online/bins/nova.armv6l", "http://nova.podril1ak2.online/bins/nova.armv5l", "http://nova.podril1ak2.online/bins/nova.i686", "http://nova.podril1ak2.online/bins/nova.mipsel", "http://nova.podril1ak2.online/bins/nova.powerpc", "http://nova.podril1ak2.online/bins/nova.armv7l", "http://nova.podril1ak2.online/bins/nova.x86_64", "http://nova.podril1ak2.online/bins/nova.i586", "http://nova.podril1ak2.online/bins/nova.armv4l", "http://nova.podril1ak2.online/bins/nova.sh4", "http://nova.podril1ak2.online/bins/nova.mips", "http://api.ddenv.site/ppc", "http://api.ddenv.site/spc", "http://api.ddenv.site/arm", "http://api.ddenv.site/mips", "http://api.ddenv.site/sh4", "http://api.ddenv.site/x86", "http://api.ddenv.site/arm6", "http://api.ddenv.site/m68k", "http://api.ddenv.site/mpsl", "http://api.ddenv.site/arm7", "http://api.ddenv.site/x86_64", "http://api.ddenv.site/arm5"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if it involves scanning IP ranges or using credentials similar to those used by Mirai.
Filter/Exclusion: Exclude rsync processes with the --backup or --exclude flags, or filter by process names like rsync_backup.sh.
Scenario: Admin Task Using nmap for Network Discovery
Description: Network administrators may use nmap to scan internal networks for device inventory or compliance checks, which could resemble Mirai’s scanning behavior.
Filter/Exclusion: Exclude nmap scans targeting internal IP ranges (e.g., 192.168.0.0/16) or filter by user root or admin accounts.
Scenario: Cron Job for Firmware Update on IoT Devices
Description: A legitimate cron job that pushes firmware updates to IoT devices might use similar command-line tools or credentials as Mirai, triggering the rule.
Filter/Exclusion: Exclude processes involving scp, ssh, or curl with known update servers or IP addresses used for firmware distribution.
Scenario: Log Collection Using logrotate with Default Credentials
Description: A log rotation task using logrotate might inadvertently use default credentials or scan for log files in a manner similar to Mirai’s behavior.
Filter/Exclusion: Exclude logrotate processes or filter by specific log directories (e.g., /var/log/), or exclude processes using root credentials for log collection.
Scenario: Security Tool Scanning for Vulnerabilities (e.g., OpenVAS, Nessus)
Description: Security tools like OpenVAS or Nessus may