Adversaries may be using base64-encoded URLs to obfuscate malicious payloads and evade basic detection mechanisms. Proactively hunting for these URLs in Azure Sentinel can help identify potential command and control channels or data exfiltration attempts early in the attack lifecycle.
IOC Summary
Threat: base64 Total URLs: 15 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://91.92.42.46/svchost.vbs | online | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainclass.txt | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainpure31agosto.txt | offline | malware_download | 2026-05-27 |
hxxp://188.126.90.13/envifa.vbs | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainNuevo_Documento_de_texto.txt | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainpurelogbase.txt | offline | malware_download | 2026-05-27 |
hxxps://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2FMSBuild.txt?alt=media&token=984ee921-1647-4fd6-a4df-ef3e9fea927b | online | malware_download | 2026-05-27 |
hxxps://91.92.42.46/proceso.vbs | online | malware_download | 2026-05-27 |
hxxps://91.92.42.46/sostener1.vbs | online | malware_download | 2026-05-27 |
hxxp://188.126.90.13/sostener2.vbs | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/main/tumfuf.txt | online | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainx31agosto.txt | offline | malware_download | 2026-05-27 |
hxxps://91.92.42.46/sostener.vbs | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/main31agosto.txt | offline | malware_download | 2026-05-27 |
hxxps://gitlab.com/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/maintumfuf.txt | offline | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: base64
let malicious_domains = dynamic(["firebasestorage.googleapis.com", "91.92.42.46", "gitlab.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["firebasestorage.googleapis.com", "91.92.42.46", "gitlab.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for URL Encoding Testing
Description: A system administrator runs a scheduled job to test URL encoding/decoding functionality for internal tools, which generates base64 strings that resemble malicious URLs.
Filter/Exclusion: Exclude URLs containing the string test_encode or url-encoder in the request path or query parameters.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline downloads artifacts from a private registry using base64-encoded URLs for secure transmission, which may trigger the rule.
Filter/Exclusion: Exclude URLs that match the CI/CD server domain (e.g., ci.example.com) or contain artifact in the path.
Scenario: Admin Task for Base64 Decoding in Logs
Description: A security analyst manually decodes base64 strings in log files to investigate potential encoding-based attacks, which may be flagged as malicious URLs.
Filter/Exclusion: Exclude URLs that contain the string base64decode or decode in the query parameters or user agent.
Scenario: Internal Tool for URL Shortening
Description: An internal URL shortening tool uses base64 encoding to generate short links, which may be misinterpreted as malicious URLs by the detection rule.
Filter/Exclusion: Exclude URLs that originate from the internal shortening service (e.g., short.example.com) or contain shorten in the request path.
Scenario: Legacy System Base64 Encoding for Data Transfer
Description: An outdated system uses base64 encoding to transfer data between components, generating URLs that look like malicious base64 strings.
Filter/Exclusion: Exclude URLs that match the legacy system’s internal API endpoint (e.g., legacy-api.example.com) or contain data-transfer in the