The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are associated with known malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_d369551b73a17113.msi | offline | malware_download | 2026-05-28 |
hxxp://91.92.242.236/files-129312398/files/file_f82e3c02c153f34c.exe | offline | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a benign URL for validation.
Filter/Exclusion: Exclude URLs that match the internal testing domain or include a specific test parameter like ?test=true.
Scenario: A scheduled job runs a nightly script to fetch updates from a trusted internal repository, which includes a URL tagged with c2-monitor-auto for version control purposes.
Filter/Exclusion: Exclude URLs that originate from a known internal update server or match a specific domain pattern like internal-repo.example.com.
Scenario: A user is accessing a legitimate cloud storage link (e.g., Google Drive or OneDrive) to share a file with a colleague, and the URL is mistakenly tagged as c2-monitor-auto due to a misconfiguration in the URLhaus feed.
Filter/Exclusion: Exclude URLs that match known cloud storage domains or include query parameters like ?dl=0 or ?usp=sharing.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender for Endpoint is performing a scheduled scan and generates a temporary URL for artifact collection, which is tagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs that contain a specific prefix like https://falcon-collector or include a timestamp in the URL path.
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitLab to push artifacts to a staging environment, and the deployment URL is tagged as c2-monitor-auto due to a misconfigured integration.
Filter/Exclusion: Exclude URLs that match the staging environment domain or include a deployment identifier like deploy-stage-20250405.