The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are associated with known malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_27c474da366340b6.exe | offline | malware_download | 2026-06-01 |
hxxp://91.92.242.236/files-129312398/files/file_5c45918e867514f4.exe | offline | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft URL.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the url field.
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from an internal URL that is tagged as c2-monitor-auto for internal monitoring purposes.
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., internal.company.com) using a regex or domain list.
Scenario: A SIEM log collection agent is configured to send logs to a central server using a URL that is mistakenly tagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs containing log-collector or siem-server in the url field, or use a custom list of internal log aggregation tools.
Scenario: A DevOps pipeline (e.g., Jenkins or GitHub Actions) is configured to pull a dependency from a package registry (e.g., npm, PyPI) that is flagged as c2-monitor-auto due to a false positive in URLhaus.
Filter/Exclusion: Exclude URLs that match known package registry domains (e.g., npmjs.org, pypi.org) or use a whitelist of trusted package sources.
Scenario: A remote management tool like Microsoft Intune or Microsoft Endpoint Manager is configured to push policy updates via a URL that is incorrectly tagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs containing intune.microsoft.com or endpoint.microsoft.com in the url field.