The hypothesis is that the detected URLs are associated with Mirai botnet infrastructure, potentially used to compromise IoT devices and establish command-and-control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage Mirai botnet activity before it leads to widespread network compromise.
IOC Summary
Threat: mirai Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://110.37.13.96:44874/i | online | malware_download | 2026-05-12 |
hxxp://110.37.18.108:48474/i | online | malware_download | 2026-05-12 |
hxxp://110.37.18.108:48474/bin.sh | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["110.37.18.108", "110.37.13.96"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["110.37.18.108", "110.37.13.96"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based vulnerability scanner tool (e.g., mirai-scan) and generates temporary URLs for internal testing.
Filter/Exclusion: Exclude URLs originating from known internal testing tools or IP ranges used by the security team.
Scenario: A scheduled job runs a network discovery tool like nmap with the --script option to scan for open ports, which may include URLs used for service discovery.
Filter/Exclusion: Exclude URLs that match known network discovery scripts or are generated by tools like nmap or masscan.
Scenario: A DevOps pipeline uses a CI/CD tool like Jenkins or GitLab CI to deploy code, and during deployment, a temporary URL is used for artifact download or configuration.
Filter/Exclusion: Exclude URLs that match known CI/CD tool domains or are part of internal artifact repositories.
Scenario: A security analyst is performing a red team exercise using a tool like Metasploit or Empire, which may generate URLs for command and control (C2) testing.
Filter/Exclusion: Exclude URLs associated with known red team tools or that match internal test environments.
Scenario: A system is running a legitimate endpoint detection and response (EDR) tool like CrowdStrike Falcon or Microsoft Defender, which may generate URLs for telemetry or threat intelligence lookup.
Filter/Exclusion: Exclude URLs that match known EDR tool domains or are part of internal threat intelligence feeds.