URLhaus: ascii Malicious URLs

Hunt Hypothesis

The hypothesis is that the detected URLs are part of a campaign using ASCII-encoded malicious payloads to evade basic URL filtering and delivery payloads to compromised hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control communications or data exfiltration attempts.

IOC Summary

Threat: ascii Total URLs: 2 Active URLs: 0

URL	Status	Threat	Date Added
`hxxp://144.31.236.60/2.txt`	offline	malware_download	2026-04-22
`hxxp://144.31.236.60/1.txt`	offline	malware_download	2026-04-22

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ascii
let malicious_domains = dynamic(["144.31.236.60"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["144.31.236.60"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is manually testing a URL shortener service using a known safe ASCII URL for internal validation.
Filter/Exclusion: Exclude URLs that match internal testing domains or are part of a known safe URL shortening service (e.g., internal-shortener.example.com).
Scenario: A scheduled job runs a script that downloads a configuration file from a public repository using an ASCII URL (e.g., https://raw.githubusercontent.com/example/config/master/config.txt).
Filter/Exclusion: Exclude URLs that match known public repositories or are part of a whitelisted update mechanism (e.g., raw.githubusercontent.com).
Scenario: A user is accessing a legitimate ASCII-based API endpoint (e.g., https://api.example.com/data) for data synchronization.
Filter/Exclusion: Exclude URLs that match internal API endpoints or are part of a whitelisted service (e.g., api.example.com).
Scenario: A security tool (e.g., CrowdStrike Falcon) is using an ASCII URL to fetch a signature update from a trusted source.
Filter/Exclusion: Exclude URLs that match known security tool update endpoints (e.g., falcon.example.com or signature-update.example.com).
Scenario: A DevOps pipeline is using an ASCII URL to pull a Docker image from a private registry (e.g., https://registry.example.com:5000/image:tag).
Filter/Exclusion: Exclude URLs that match internal registry hosts or are part of a CI/CD pipeline (e.g., registry.example.com).