The detection identifies potential Mirai botnet command-and-control (C2) communication attempts through known malicious URLs, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Mirai-related botnet activity before it leads to widespread network compromise.
IOC Summary
Threat: mirai Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.32.228:54522/i | online | malware_download | 2026-05-22 |
hxxp://110.37.32.228:54522/bin.sh | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.32.228"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.32.228"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its detection capabilities.
Filter/Exclusion: Exclude URLs that match the known test URLs used by the Mirai vulnerability scanner (e.g., http://test-mirai-url.com).
Scenario: A scheduled job runs a network discovery tool like Nmap to map internal network devices, and one of the discovered devices is flagged as a Mirai-related URL.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are associated with network discovery tools like Nmap.
Scenario: A security analyst is using Wireshark to analyze network traffic and manually captures a Mirai-related URL as part of a legitimate security test.
Filter/Exclusion: Exclude URLs that are part of a known security testing framework or lab environment (e.g., http://mirai-test.lab.example.com).
Scenario: A system update or patching process includes a script that temporarily downloads a Mirai-related payload from a trusted internal repository for analysis.
Filter/Exclusion: Exclude URLs that are associated with internal repositories or are part of a known patching or update process (e.g., http://internal-repo.example.com/mirai-analysis).
Scenario: A DevOps team uses Ansible to automate configuration management and includes a URL that references a Mirai-related test asset in their playbooks.
Filter/Exclusion: Exclude URLs that are part of Ansible playbooks or used for internal testing and are not intended for production environments.