The detection identifies potential Mirai botnet distribution through malicious URLs associated with exploit kits or phishing payloads, which could lead to compromised IoT devices and DDoS attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai infections before they contribute to large-scale botnet activity.
IOC Summary
Threat: mirai Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.166.209.182:54628/bin.sh | online | malware_download | 2026-05-29 |
hxxp://140.237.6.202:41787/bin.sh | online | malware_download | 2026-05-29 |
hxxp://138.204.196.136:49968/bin.sh | online | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.166.209.182", "138.204.196.136", "140.237.6.202"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.166.209.182", "138.204.196.136", "140.237.6.202"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus-listed domain
Description: A system administrator is performing a scheduled update using a domain listed in URLhaus, which is actually a trusted update server.
Filter/Exclusion: Exclude URLs that match known enterprise update servers (e.g., *.updates.microsoft.com, *.download.windows10.com) or use a custom list of trusted domains.
Scenario: Admin accessing a phishing URL for security awareness training
Description: A security administrator is clicking on a URL from a phishing simulation tool (e.g., KnowBe4) that is flagged as Mirai-related by the detection rule.
Filter/Exclusion: Exclude URLs containing specific training domains (e.g., *.knowbe4.com, *.phishsim.com) or use a custom list of allowed training URLs.
Scenario: Scheduled job downloading a security tool from a legitimate source
Description: A scheduled job (e.g., using crontab or Task Scheduler) is downloading a security tool (e.g., Malwarebytes, Bitdefender) from a domain that is mistakenly flagged as Mirai-related.
Filter/Exclusion: Exclude URLs that match known security tool download domains (e.g., *.malwarebytes.com, *.bitdefender.com) or use a custom list of allowed download sources.
Scenario: Internal tool using a Mirai-related domain for internal testing
Description: A development team is using a domain from URLhaus for internal testing of a security tool, which is mistakenly flagged by the detection rule.
Filter/Exclusion: Exclude internal domains (e.g., *.internal.test, *.dev.local) or use a custom list of internal testing domains.
Scenario: False positive from a legitimate threat intelligence feed
Description: A threat intelligence feed