The detection identifies potential adversary activity involving malicious URLs linked to the URLhaus entry 54e64e, which are associated with known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these URLs for command and control or data exfiltration.
IOC Summary
Threat: 54e64e Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_082eaf7f5d6ca3f8.exe | online | malware_download | 2026-06-15 |
hxxp://91.92.242.236/files-129312398/files/file_a2054e924072d7f1.exe | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 54e64e
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus dataset for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus_id tag 54e64e when the source is a known admin tool or user (e.g., source == "url_filter_test_tool" or user == "admin").
Scenario: A scheduled job runs a script that fetches and processes benign URLs from a trusted source, such as a security feed or internal database, which happens to include URLs tagged as 54e64e.
Filter/Exclusion: Exclude URLs that originate from a specific IP address or domain associated with the internal security feed (e.g., source_ip == "10.0.0.100" or domain == "internal-feed.example.com").
Scenario: A user is performing a legitimate security audit and manually accesses a URL from the URLhaus dataset to verify its behavior in a sandboxed environment.
Filter/Exclusion: Exclude URLs that are accessed from a sandboxed environment or a specific user group (e.g., user_group == "security_team" or sandboxed == true).
Scenario: A backup or migration tool temporarily accesses a URL to download a configuration file, which is mistakenly tagged as 54e64e in the URLhaus database.
Filter/Exclusion: Exclude URLs accessed by backup/migration tools (e.g., tool_name == "backup_tool_v2" or process_name == "migration_script.sh").
Scenario: A developer is testing a new application that dynamically generates URLs for internal services, and one of these URLs coincidentally matches a URL from the 54e64e tag.
Filter/Exclusion: Exclude URLs that are generated by internal