The detection identifies potential adversary activity involving malicious URLs linked to the URLhaus entry 282234, which is associated with known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration or lateral movement.
IOC Summary
Threat: 282234 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://196.251.107.104/Progressive_8127.75.4792_INSTALL.exe | online | malware_download | 2026-06-09 |
hxxp://196.251.107.104/tkr.exe | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 282234
let malicious_domains = dynamic(["196.251.107.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["196.251.107.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via URLhaus tag
Description: A system update or patch is being downloaded from a URL that is mistakenly tagged as 282234 in URLhaus.
Filter/Exclusion: Check the URL’s domain against known enterprise update servers (e.g., updates.microsoft.com, download.oracle.com) and exclude traffic to these domains.
Scenario: Scheduled backup job using a known safe URL
Description: A backup job is configured to use a URL that is flagged by the rule, but it is a legitimate backup endpoint.
Filter/Exclusion: Exclude traffic to URLs containing backup, restore, or snapshot in the path, or match against internal backup servers (e.g., backup.internal.corp).
Scenario: Admin task using a third-party tool with known URL
Description: An admin is using a third-party tool (e.g., PowerShell, Ansible, or Chef) that connects to a URL tagged as 282234 for configuration management.
Filter/Exclusion: Exclude traffic initiated from admin workstations or specific IP ranges used by admin tools, or filter by process name (e.g., powershell.exe, ansible-playbook).
Scenario: Internal URLhaus feed synchronization
Description: The enterprise security team is synchronizing with the URLhaus feed as part of their threat intelligence process, and the URL is flagged as 282234.
Filter/Exclusion: Exclude traffic to the URLhaus API endpoint (urlhaus.org/api/) or any traffic from the internal threat intel team’s IP range.
Scenario: Legitimate phishing simulation using a known URL
Description: A security team is conducting a phishing simulation and uses a URL that is mistakenly tagged as 282