The detection identifies potential botnet command and control (C2) communication by identifying malicious URLs associated with known botnet domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to disrupt ongoing botnet activities and prevent lateral movement within compromised networks.
IOC Summary
Threat: botnetdomain Total URLs: 2 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://69sexy.duckdns.org/bins/anti.sh | online | malware_download | 2026-05-25 |
hxxp://69sexy.duckdns.org/bins/dropper.go | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnetdomain
let malicious_domains = dynamic(["69sexy.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["69sexy.duckdns.org"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Malware Analysis
Description: A security team runs a scheduled job to download and analyze URLs from a sandboxing tool like Cuckoo Sandbox or Joe Sandbox for malware analysis.
Filter/Exclusion: Exclude URLs that match the sandboxing tool’s internal IP ranges or use a custom field like sandboxing_tool to tag these URLs.
Scenario: Admin Task for Patch Deployment
Description: An administrator uses a tool like Microsoft Intune or SCCM to deploy patches, which may include downloading URLs from Microsoft’s public servers.
Filter/Exclusion: Exclude URLs that originate from known Microsoft update servers (e.g., *.download.microsoft.com) or use a patch_deployment tag.
Scenario: Log Collection from SIEM System
Description: A SIEM system like Splunk or QRadar collects logs from various endpoints and may include URLs used for log forwarding or correlation.
Filter/Exclusion: Exclude URLs that are part of the SIEM system’s internal infrastructure (e.g., *.splunk.com) or use a siem_log_forwarding tag.
Scenario: Automated Report Generation
Description: A report generation tool like Power BI or Tableau may fetch data from internal or external URLs to populate dashboards.
Filter/Exclusion: Exclude URLs that are part of the report generation system’s allowed domains or use a reporting_tool tag.
Scenario: Internal Monitoring Tool for Network Traffic
Description: An internal monitoring tool like Zeek (formerly Bro) or Wireshark may capture and log URLs as part of network traffic analysis.
Filter/Exclusion: Exclude URLs that are part of the internal monitoring infrastructure (e.g., *.internal-monitoring.example.com) or use a network_monitoring tag.