URLhaus: mirai Malicious URLs

Hunt Hypothesis

The detection identifies potential Mirai botnet command-and-control (C2) communication through URLs listed in URLhaus, indicating compromised IoT devices are being used for DDoS attacks. SOC teams should proactively hunt for this behavior to identify and mitigate botnet activity before it leads to large-scale network disruptions.

IOC Summary

Threat: mirai Total URLs: 2 Active URLs: 2

URL	Status	Threat	Date Added
`hxxp://180.180.232.136:43886/bin.sh`	online	malware_download	2026-05-19
`hxxp://92.42.100.131/tplink.sh`	online	malware_download	2026-05-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["180.180.232.136", "92.42.100.131"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["180.180.232.136", "92.42.100.131"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a Mirai exploit detection tool on a sandboxed environment to validate security controls.
Filter/Exclusion: process.name != "mirai_exploit_test_tool" or process.parent.name != "sandbox_env"
Scenario: A scheduled job runs a network scanning tool like nmap to identify open ports on internal devices for compliance checks.
Filter/Exclusion: process.name != "nmap" or process.args != "--open"
Scenario: A DevOps team uses Ansible to deploy configuration updates to IoT devices, which includes checking for default credentials.
Filter/Exclusion: process.name != "ansible" or process.args != "--check"
Scenario: A security analyst uses Wireshark to analyze network traffic for signs of Mirai botnet communication during a security incident response.
Filter/Exclusion: process.name != "wireshark" or process.args != "--capture"
Scenario: A backup job runs using rsync to transfer configuration files from IoT devices to a central server for archival.
Filter/Exclusion: process.name != "rsync" or process.args != "--archive"