Adversaries may use botnet-associated malicious URLs to establish command and control channels or distribute malware, leveraging compromised infrastructure to exfiltrate data or propagate further. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet command and control activity before it leads to broader network compromise.
IOC Summary
Threat: botnet Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://14.102.34.66:50135/Mozi.a | online | malware_download | 2026-06-22 |
hxxp://220.202.65.145:45746/Mozi.a | online | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnet
let malicious_domains = dynamic(["14.102.34.66", "220.202.65.145"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["14.102.34.66", "220.202.65.145"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update job downloads a known botnet URL from a trusted repository
Filter/Exclusion: Exclude URLs from known update servers (e.g., *.update.microsoft.com, *.canonical.com) or use a whitelist of approved update URLs.
Scenario: Admin uses a tool like curl or wget to manually test a botnet URL for research or pentesting purposes
Filter/Exclusion: Exclude traffic originating from admin workstations or specific user accounts used for security testing (e.g., user=security-team).
Scenario: A legitimate security tool like CrowdStrike Falcon or Microsoft Defender ATP downloads a botnet URL as part of its signature update process
Filter/Exclusion: Exclude URLs associated with known security software update endpoints (e.g., *.falconplatform.com, *.microsoft.com/defender).
Scenario: A user receives a phishing email containing a botnet URL, but clicks on it as part of a simulated phishing test using MockPhish or PhishTank
Filter/Exclusion: Exclude URLs from known phishing simulation platforms (e.g., *.mockphish.com, *.phishtank.org).
Scenario: A CI/CD pipeline uses a tool like Jenkins or GitHub Actions to fetch dependencies from a compromised repository that hosts a botnet URL
Filter/Exclusion: Exclude URLs from known CI/CD artifact repositories (e.g., *.maven.apache.org, *.npmjs.com) or use a whitelist of approved dependency sources.