The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet command and control activity before it leads to large-scale network compromise.
IOC Summary
Threat: mirai Total URLs: 8 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://83.168.110.191/re.sh | online | malware_download | 2026-06-03 |
hxxp://45.202.249.34/dck | online | malware_download | 2026-06-03 |
hxxp://159.223.171.245/jklm68k | online | malware_download | 2026-06-03 |
hxxp://159.223.171.245/wget.sh | online | malware_download | 2026-06-03 |
hxxp://159.223.171.245/curl.sh | offline | malware_download | 2026-06-03 |
hxxp://58.65.216.9:58090/Mozi.m | offline | malware_download | 2026-06-03 |
hxxp://159.223.171.245/jklarm5 | offline | malware_download | 2026-06-03 |
hxxp://159.223.171.245/jklarm6 | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["159.223.171.245", "45.202.249.34", "83.168.110.191"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["159.223.171.245", "45.202.249.34", "83.168.110.191"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based exploit detection tool by uploading a known benign payload for analysis.
Filter/Exclusion: Exclude URLs containing the string test_payload or sandbox-analysis.
Scenario: A scheduled job runs a network scan using Nmap with a custom script that includes a Mirai-related payload for vulnerability assessment.
Filter/Exclusion: Exclude URLs that match the pattern nmap-scan- or contain the substring vuln-assessment.
Scenario: A security team is performing a red team exercise and uses a Mirai-related URL as part of a simulated attack to test incident response procedures.
Filter/Exclusion: Exclude URLs that include the term red-team or are associated with a specific IP range used for internal testing.
Scenario: A CI/CD pipeline includes a step that downloads a Mirai-related exploit library for static analysis, such as during a dependency check with Dependabot.
Filter/Exclusion: Exclude URLs that contain dependabot or are sourced from a known internal artifact repository.
Scenario: An enterprise uses a third-party security tool like CrowdStrike Falcon to submit a Mirai-related URL for threat intelligence enrichment.
Filter/Exclusion: Exclude URLs that are flagged as threat_intel or originate from a specific internal security tool integration.