The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, potentially used to compromise IoT devices and establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage Mirai-related attacks before they lead to large-scale botnet activity.
IOC Summary
Threat: mirai Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://119.99.254.106:55675/i | online | malware_download | 2026-05-23 |
hxxp://119.99.254.106:55675/bin.sh | online | malware_download | 2026-05-23 |
hxxp://110.37.89.129:35829/i | online | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["119.99.254.106", "110.37.89.129"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["119.99.254.106", "110.37.89.129"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based exploit detection tool by uploading a known malicious URL for analysis.
Filter/Exclusion: Exclude URLs that match the internal testing environment or are tagged with test or sandbox.
Scenario: A scheduled job runs a vulnerability scan using a tool like Nessus or OpenVAS, which includes a Mirai-related exploit URL as part of its test payload.
Filter/Exclusion: Exclude URLs that originate from internal scanning tools or are flagged with scan or test in the URL metadata.
Scenario: A DevOps team is deploying a CI/CD pipeline using Jenkins or GitLab CI, and a build script includes a URL to a Mirai-related exploit for testing purposes.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines and are tagged with ci, cd, or pipeline.
Scenario: An internal security team is using Splunk or ELK Stack to simulate Mirai-related traffic for incident response training.
Filter/Exclusion: Exclude URLs that are part of training environments and are tagged with training, simulated, or lab.
Scenario: A system is running a PowerShell script or Python script that includes a Mirai-related URL for automated threat intelligence lookup.
Filter/Exclusion: Exclude URLs that are associated with internal scripts or tools and are tagged with script, automation, or tooling.