The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, potentially used to compromise IoT devices and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage Mirai botnet activity before it leads to large-scale distributed denial-of-service attacks.
IOC Summary
Threat: mirai Total URLs: 5 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://114.198.242.174:49905/i | online | malware_download | 2026-06-08 |
hxxp://110.36.89.246:54150/i | online | malware_download | 2026-06-08 |
hxxp://114.198.242.174:49905/bin.sh | online | malware_download | 2026-06-08 |
hxxp://110.36.89.246:54150/bin.sh | online | malware_download | 2026-06-08 |
hxxp://nova.ismak.icu/nova.sh | offline | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.36.89.246", "114.198.242.174"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.36.89.246", "114.198.242.174"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its detection capabilities.
Filter/Exclusion: Exclude URLs that match known internal testing tools (e.g., mirai-vuln-scanner-internal or mirai-test-suite-*.com).
Scenario: A scheduled job runs a script to download and analyze Mirai-related payloads for research purposes.
Filter/Exclusion: Exclude URLs containing the keyword research or analysis in the domain or path (e.g., *.mirai-research.org).
Scenario: A security team uses a third-party tool like Cobalt Strike or Metasploit to simulate Mirai botnet behavior during a red team exercise.
Filter/Exclusion: Exclude URLs that match internal red team infrastructure (e.g., *.redteam-labs.local or *.pentest-internal.net).
Scenario: A backup job or log aggregation system uploads files to a cloud storage bucket (e.g., AWS S3) for long-term retention, and the URL matches a Mirai tag.
Filter/Exclusion: Exclude URLs that include the path /backup/ or /logs/ or match internal cloud storage domains (e.g., *.internal-backup.s3.amazonaws.com).
Scenario: A legitimate security tool like OSSEC or Snort is configured to send alerts to a centralized SIEM, and the alert URL is falsely tagged as Mirai.
Filter/Exclusion: Exclude URLs that match the internal SIEM alert endpoint (e.g., *.siem.alerts.local or *.security.alerts.corp) or contain the string alert-.