The hypothesis is that the detected malicious URLs are associated with botnet domains used to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential botnet command and control communications before significant damage occurs.
IOC Summary
Threat: botnetdomain Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://boatbeach.online/main_mpsl | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_m68k | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_ppc | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_arm5 | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_x86 | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_mips | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_sh4 | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/shcript.sh | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_arm | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_x86_64 | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_arm7 | online | malware_download | 2026-05-28 |
hxxp://boatbeach.online/main_arm6 | online | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnetdomain
let malicious_domains = dynamic(["boatbeach.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["boatbeach.online"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a known botnetdomain URL as part of a scheduled patching job.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.patch.example.com) or filter by process name (powershell.exe with a known update script).
Scenario: A scheduled backup job uses a script that connects to a botnetdomain URL to fetch a configuration file from a centralized management system.
Filter/Exclusion: Exclude URLs that match internal configuration servers or filter by process name (backup_service.exe or backup_scheduler.exe).
Scenario: A SIEM log aggregation tool (e.g., Splunk or ELK) is configured to send logs to a botnetdomain URL for centralized logging and monitoring.
Filter/Exclusion: Exclude URLs that match internal log aggregation endpoints or filter by process name (splunkd.exe, logstash.jar).
Scenario: A remote desktop session (e.g., RDP or VNC) is initiated from a botnetdomain URL as part of a legitimate remote support tool.
Filter/Exclusion: Exclude URLs that match known remote access tools (e.g., *.remote-support.com) or filter by process name (mstsc.exe, vncviewer).
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) uses a botnetdomain URL to fetch a dependency or artifact from a private registry.
Filter/Exclusion: Exclude URLs that match internal artifact repositories or filter by process name (jenkins.exe, github-actions-runner).