URLhaus: ascii Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected URLs are likely malicious ASCII-based payloads used for command and control or data exfiltration. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential adversary activity leveraging disguised malicious links.

IOC Summary

Threat: ascii Total URLs: 4 Active URLs: 4

URL	Status	Threat	Date Added
`hxxps://raw.githubusercontent.com/voicatch/voicath/refs/heads/main/file.vbs`	online	malware_download	2026-06-08
`hxxps://github.com/voicatch/voicath/raw/refs/heads/main/file.vbs`	online	malware_download	2026-06-08
`hxxps://drive.google.com/uc?export=download&id=1c3yPqyiOSZuYr4esZuapLYdVR2utpNLU`	online	malware_download	2026-06-08
`hxxps://drive.google.com/uc?export=download&id=14FKurqnz1Ju1VngnvXdKRQlHpUuOwloE`	online	malware_download	2026-06-08

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["raw.githubusercontent.com", "drive.google.com", "github.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["raw.githubusercontent.com", "drive.google.com", "github.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a URL shortener service using a known safe ASCII URL for internal documentation.
Filter/Exclusion: Exclude URLs containing the substring "internal-docs" or URLs originating from the internal IP range 10.0.0.0/8.
Scenario: A scheduled job runs a script that fetches ASCII-based update files from a trusted internal repository (e.g., git clone https://internal-repo/update-script.ascii).
Filter/Exclusion: Exclude URLs that match the domain internal-repo.example.com or URLs containing the path /update-script.ascii.
Scenario: A DevOps engineer is using a CI/CD pipeline to push ASCII-based configuration files to a remote server (e.g., https://ci.example.com/config.ascii).
Filter/Exclusion: Exclude URLs that match the domain ci.example.com or URLs containing the path /config.ascii.
Scenario: An IT helpdesk technician is sending a support ticket via a web form that includes ASCII-encoded data (e.g., https://support.example.com/submit?data=ascii_encoded_string).
Filter/Exclusion: Exclude URLs containing the query parameter data or URLs originating from the domain support.example.com.
Scenario: A security analyst is using a tool like curl or wget to manually download a known safe ASCII file from a trusted source (e.g., https://trusted-source.ascii).
Filter/Exclusion: Exclude URLs that match the domain trusted-source.ascii or URLs containing the exact string ascii in the path.