The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are associated with known malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 3 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_1232af70460f33e6.exe | offline | malware_download | 2026-06-04 |
hxxp://91.92.242.236/files-129312398/files/file_678a638ac5fc633b.exe | offline | malware_download | 2026-06-04 |
hxxp://91.92.242.236/files-129312398/files/file_b6b65062e1a97e1e.exe | offline | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a URLhaus-tagged URL as part of a patching process.
Filter/Exclusion: Exclude URLs matching update.microsoft.com or patch.example.com (replace with actual update servers used in the environment).
Scenario: Admin Task for Log Collection
Description: An admin task is configured to collect logs from remote servers, which may involve downloading a URLhaus-tagged URL for log aggregation.
Filter/Exclusion: Exclude URLs containing log-collector.example.com or log-aggregator.example.com (use actual internal log collection endpoints).
Scenario: Automated Threat Intelligence Feed Sync
Description: A threat intelligence feed sync job pulls updates from a trusted source, which includes URLs flagged by URLhaus as c2-monitor-auto.
Filter/Exclusion: Exclude URLs matching threatintel.example.com or ti-feed.example.com (use actual internal or trusted TI feed endpoints).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline downloads a build artifact from an internal repository, which is mistakenly tagged as c2-monitor-auto by URLhaus.
Filter/Exclusion: Exclude URLs containing ci.example.com or artifactory.example.com (use actual CI/CD artifact servers).
Scenario: Internal Monitoring Tool Data Fetch
Description: An internal monitoring tool fetches metrics or data from a central server, and the URL is incorrectly flagged by URLhaus.
Filter/Exclusion: Exclude URLs matching monitoring.example.com or metrics.example.com (use actual internal monitoring endpoints).