Adversaries may use arm-related malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or trusted domains to evade detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: arm Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://199.98.88.92.rev.sfr.net/d/akido.arm7 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.arm7 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.arm6 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.arm5 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.arm5 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.arm6 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.arm | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.arm | online | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["199.98.88.92.rev.sfr.net", "92.88.98.199"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["199.98.88.92.rev.sfr.net", "92.88.98.199"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool (short.url) by accessing a few legitimate URLs for validation purposes.
Filter/Exclusion: Exclude URLs containing the domain short.url or any URL that includes the query parameter ?test=1.
Scenario: A scheduled job runs nightly to fetch updates from a known internal repository (internal-repo.example.com) using a script named update_packages.sh.
Filter/Exclusion: Exclude URLs containing the domain internal-repo.example.com and filter out any requests made by the script update_packages.sh.
Scenario: An IT support team is using a legitimate endpoint security tool (CrowdStrike Falcon) to access a remote support portal (support.crowdstrike.com) for troubleshooting.
Filter/Exclusion: Exclude URLs containing the domain support.crowdstrike.com and filter out traffic from the process CrowdStrike Falcon.
Scenario: A developer is using a CI/CD pipeline (GitHub Actions) to pull dependencies from a public artifact repository (maven-central.org) during a build.
Filter/Exclusion: Exclude URLs containing the domain maven-central.org and filter out traffic originating from the GitHub Actions runner.
Scenario: A security analyst is performing a red team exercise and is using a legitimate penetration testing tool (Metasploit) to access a controlled test environment (test-env.local).
Filter/Exclusion: Exclude URLs containing the domain test-env.local and filter out traffic from the process msfconsole or metasploit.