The detection identifies potential Mirai botnet command-and-control (C2) communication attempts through known malicious URLs, indicating possible compromise of infected devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Mirai botnet activity before it leads to widespread network compromise.
IOC Summary
Threat: mirai Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://180.157.47.130:60111/i | online | malware_download | 2026-05-20 |
hxxp://120.28.160.162:58170/i | online | malware_download | 2026-05-20 |
hxxp://120.28.160.162:58170/bin.sh | online | malware_download | 2026-05-20 |
hxxp://110.37.5.157:48623/i | online | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: mirai
let malicious_domains = dynamic(["180.157.47.130", "120.28.160.162", "110.37.5.157"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["180.157.47.130", "120.28.160.162", "110.37.5.157"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a Mirai-based exploit detection tool by uploading a known benign payload to a test server for analysis.
Filter/Exclusion: Exclude URLs containing the string "testserver.local" or any URL that includes the word "test" in the domain or path.
Scenario: A scheduled job runs nightly to download and update a Mirai-related threat intelligence feed from a trusted source (e.g., URLhaus or VirusTotal).
Filter/Exclusion: Exclude URLs that match the IP address or domain of the threat intelligence feed provider (e.g., urlhaus.org or virus.total).
Scenario: A security analyst is using a sandbox environment to analyze a Mirai-related payload, and the sandbox generates temporary URLs for internal communication between components.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges (e.g., 192.168.0.0/16) or are flagged as internal by the enterprise’s network security tools.
Scenario: A DevOps team is deploying a CI/CD pipeline that uses a script to fetch and execute a Mirai-related test script for vulnerability assessment.
Filter/Exclusion: Exclude URLs that are part of the CI/CD pipeline (e.g., ci.example.com or artifactory.example.com) or are associated with known CI/CD tools like Jenkins or GitLab.
Scenario: A system is running a legitimate security tool (e.g., CrowdStrike or CrowdStrike Falcon) that uses a Mirai-related signature for threat detection, and the tool generates temporary URLs for internal logging or reporting.
Filter/Exclusion: Exclude URLs that are associated with the security tool’s internal services or that match the tool’s known internal URL patterns.