The detection identifies potential Mirai botnet command-and-control (C2) communication attempts through known malicious URLs, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Mirai botnet infections before they spread within the network.
IOC Summary
Threat: mirai Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.24.84.178:60210/i | online | malware_download | 2026-06-09 |
hxxp://183.158.170.177:46989/i | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["183.158.170.177", "125.24.84.178"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["183.158.170.177", "125.24.84.178"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool to validate its effectiveness.
Filter/Exclusion: Exclude URLs associated with known vulnerability scanning tools (e.g., nmap, nuclei, kali-linux tools) or filter by process name like nmap.exe or nuclei.
Scenario: A scheduled job runs a script to fetch and analyze Mirai-related threat intelligence from a trusted source like URLhaus.
Filter/Exclusion: Exclude URLs that match the URLhaus domain or any known threat intelligence feeds (e.g., urlhaus.org, malwarecookie.com).
Scenario: A DevOps team is deploying a containerized application that includes a legitimate Mirai-related dependency for network testing.
Filter/Exclusion: Exclude URLs that match container registry domains (e.g., docker.io, registry.hub.docker.com) or filter by process names like dockerd, crictl.
Scenario: A security analyst is using a sandbox environment to simulate Mirai botnet behavior for incident response training.
Filter/Exclusion: Exclude URLs that match sandboxing platforms (e.g., sandboxed.io, virusTotal.com) or filter by process names like sandboxed, qemu, or vmrun.
Scenario: A network monitoring tool periodically checks for known malicious URLs and logs them for analysis, including those tagged as Mirai.
Filter/Exclusion: Exclude URLs that match internal monitoring tools (e.g., splunk, elasticsearch, logstash) or filter by source IP ranges used by internal monitoring systems.