The detection identifies potential adversary activity where malicious .bat files are being downloaded via URLs listed in URLhaus, indicating possible exploitation of compromised or phishing-based attack vectors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware execution attempts before they lead to deeper system compromise.
IOC Summary
Threat: bat Total URLs: 7 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://eligibility-biological-rights-directive.trycloudflare.com/Sep01x86_Ayoo.zip | online | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/1Apr22ST.zip | online | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/1Apr22MA.zip | online | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/an.zip | online | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/1Apr22DLL.zip | online | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/1Apr22SU.bat | offline | malware_download | 2026-05-25 |
hxxps://eligibility-biological-rights-directive.trycloudflare.com/1Apr22SU.txt | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: bat
let malicious_domains = dynamic(["eligibility-biological-rights-directive.trycloudflare.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["eligibility-biological-rights-directive.trycloudflare.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is running a scheduled PowerShell script that downloads a .bat file from a known internal repository for patch management.
Filter/Exclusion: Exclude URLs matching internal domain patterns (e.g., *.internal.corp, *.patchmgr.example.com).
Scenario: A legitimate system update process uses a .bat file hosted on a trusted Microsoft download server to install updates.
Filter/Exclusion: Exclude URLs containing download.microsoft.com or windowsupdate.microsoft.com.
Scenario: A DevOps pipeline executes a .bat script to deploy code to a staging environment, which includes a URL to a public artifact repository.
Filter/Exclusion: Exclude URLs matching known CI/CD artifact hosts like artifactory.example.com or npmjs.com.
Scenario: A user manually runs a .bat file to configure a third-party application, which includes a URL to a public CDN for JavaScript libraries.
Filter/Exclusion: Exclude URLs from known CDNs such as jsDelivr.com, cdnjs.cloudflare.com, or cdnjs.net.
Scenario: A security tool or SIEM system generates a .bat script to fetch logs from a remote server for analysis, using a legitimate log aggregation URL.
Filter/Exclusion: Exclude URLs that match log aggregation services like logstash.example.com or splunk.example.com.