Adversaries may use arm-tagged malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or trusted domains to evade detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and disrupt potential command-and-control channels or initial compromise vectors.
IOC Summary
Threat: arm Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://160.119.71.16/L/nope4.johnsmith | online | malware_download | 2026-05-22 |
hxxp://160.119.71.16/L/nope5.johnsmith | online | malware_download | 2026-05-22 |
hxxp://160.119.71.16/L/nope6.johnsmith | online | malware_download | 2026-05-22 |
hxxp://160.119.71.16/L/nope7.johnsmith | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["160.119.71.16"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["160.119.71.16"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by entering a legitimate URL into a test environment.
Filter/Exclusion: Exclude URLs containing the domain test.shorturlservice.com or any URL that includes the string test- in the path.
Scenario: A scheduled job runs a script that downloads a legitimate update from a known secure source, such as updates.microsoft.com.
Filter/Exclusion: Exclude URLs that match the domain updates.microsoft.com or any URL that contains the substring update.
Scenario: A developer is using a CI/CD pipeline to deploy code, and the pipeline includes a step that fetches dependencies from a public repository like npmjs.org.
Filter/Exclusion: Exclude URLs that match the domain npmjs.org or any URL that includes the substring package.
Scenario: An IT team is performing a security audit and is using a tool like Nessus to scan for vulnerabilities, which may include downloading test payloads from a secure internal server.
Filter/Exclusion: Exclude URLs that match the internal IP range 10.0.0.0/24 or any URL that includes the substring nessus.
Scenario: A user is using a legitimate phishing simulation tool like PhishMe to train employees, and the tool sends a test email with a simulated malicious link.
Filter/Exclusion: Exclude URLs that match the domain phishme.com or any URL that includes the substring training.