The hypothesis is that the detected URLs are associated with Mirai malware, which could be used to compromise IoT devices and launch DDoS attacks. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet activity before it leads to large-scale network disruptions.
IOC Summary
Threat: mirai Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.156.63.119:35279/bin.sh | online | malware_download | 2026-05-05 |
hxxp://45.234.9.227:43436/i | online | malware_download | 2026-05-05 |
hxxp://45.234.9.227:43436/bin.sh | online | malware_download | 2026-05-05 |
hxxp://59.42.88.46:56735/i | online | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["219.156.63.119", "45.234.9.227", "59.42.88.46"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["219.156.63.119", "45.234.9.227", "59.42.88.46"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that includes downloading a Mirai-related URL as part of a security patch or firmware update.
Filter/Exclusion: Exclude URLs associated with known security patch repositories (e.g., https://updates.example.com, https://security.example.org) or use a filter based on the http.host field to exclude internal update servers.
Scenario: Admin Access via Remote Management Tool
Description: An administrator uses a remote management tool (e.g., psexec, PsExec, or WinRM) to access a server and inadvertently navigates to a Mirai-related URL during a diagnostic check.
Filter/Exclusion: Exclude traffic originating from known admin IPs or use a filter on the src_ip field to block internal admin workstations.
Scenario: Log Collection and Analysis Tool
Description: A log collection tool (e.g., Splunk, ELK Stack, or Graylog) is configured to fetch logs from a remote server, and the URL used for log retrieval is mistakenly tagged as Mirai.
Filter/Exclusion: Exclude URLs that match known log collection endpoints (e.g., https://logserver.example.com/api/logs) or use a filter based on the http.method field to exclude GET requests to log endpoints.
Scenario: Internal Threat Hunting Activity
Description: A SOC analyst or red team member is performing threat hunting and uses a tool like Mandiant or CrowdStrike Falcon to access a Mirai-related URL as part of a simulated attack.
Filter/Exclusion: Exclude traffic from internal threat hunting IPs or use a filter based on the user_agent field to identify and exclude known threat hunting tools.
Scenario: Cloud Configuration Management Tool
*