The detection identifies potential Mirai botnet command-and-control (C2) communication through URLs listed in URLhaus, which could indicate ongoing DDoS attack coordination. SOC teams should proactively hunt for this behavior to identify and mitigate compromised IoT devices before they are used in large-scale attacks.
IOC Summary
Threat: mirai Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.32.20:32966/i | online | malware_download | 2026-06-26 |
hxxp://110.37.32.20:32966/bin.sh | online | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.32.20"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.32.20"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system update via Windows Update
Description: A legitimate Windows Update process may download and execute a file that matches the Mirai signature due to similar file names or hashes.
Filter/Exclusion: process.name != "wusa.exe" or process.parent.name != "svchost.exe"
Scenario: Admin performing a manual firmware update on IoT devices
Description: An administrator may be manually updating firmware on IoT devices using tools like TFTP or SCP, which could trigger the rule if the update file is flagged.
Filter/Exclusion: process.name != "tftpd.exe" or process.name != "scp.exe"
Scenario: Phishing email with legitimate-looking attachment
Description: An employee may receive a phishing email containing a legitimate-looking attachment (e.g., config_backup.tar.gz) that is mistakenly flagged as Mirai-related.
Filter/Exclusion: email.subject contains "config backup" or email.sender in allowed_domains
Scenario: Malicious URL hosted on a legitimate enterprise portal
Description: A compromised internal portal (e.g., internal-portal.example.com) may host a malicious URL that is flagged by the rule.
Filter/Exclusion: url.domain != "internal-portal.example.com" or url.host in trusted_domains
Scenario: Legitimate network scanning tool used for security audits
Description: A tool like Nmap or Masscan may be used for network discovery and could trigger the rule if it scans for vulnerable IoT devices.
Filter/Exclusion: process.name != "nmap.exe" or process.name != "masscan.exe"