The detection identifies potential AgentTesla malware distribution through three malicious URLs linked to URLhaus, indicating an adversary is attempting to deliver malware via compromised or malicious web resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections before they spread within the network.
IOC Summary
Threat: AgentTesla Total URLs: 3 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://miki-visitasia.com/pUpOPRge/A2.ps1 | offline | malware_download | 2026-06-15 |
hxxp://172.245.209.253/203/goodthingsarebestbetterwayscomingforu.vbs | online | malware_download | 2026-06-15 |
hxxp://172.245.209.253/203/ech/goodjobtodayreallyfinegoodhearthatcurrentilot.hta | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: AgentTesla
let malicious_domains = dynamic(["172.245.209.253"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.245.209.253"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL shortener service (e.g., Bitly) to validate a phishing link for a security awareness training exercise.
Filter/Exclusion: Exclude URLs containing the domain training.example.com or any subdomains of example.com used for internal security testing.
Scenario: A scheduled job runs a script to fetch updates from a legitimate threat intelligence feed (e.g., URLhaus) using a script named fetch_threat_intel.sh.
Filter/Exclusion: Exclude URLs that match the exact path /api/v1/feeds or any subpaths under threatintel.example.com.
Scenario: A DevOps team uses a CI/CD pipeline (e.g., Jenkins) to deploy a new version of an application, which includes a temporary URL for artifact download (e.g., artifacts.prod.example.com).
Filter/Exclusion: Exclude URLs that match the domain artifacts.prod.example.com or any subdomains used for internal artifact storage.
Scenario: An IT support team uses a remote access tool (e.g., TeamViewer) to troubleshoot a user’s machine, and the session logs include a URL for the remote connection.
Filter/Exclusion: Exclude URLs containing the string teamviewer.com or any subdomains associated with TeamViewer sessions.
Scenario: A security analyst manually reviews a report from a threat intelligence platform (e.g., Recorded Future) and clicks on a link to view more details about a known malicious URL.
Filter/Exclusion: Exclude URLs that match the domain recordedfuture.com or any subdomains used for threat intelligence lookup.