The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are known to be associated with malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 3 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_8efd35a538a54dd8.exe | offline | malware_download | 2026-06-02 |
hxxp://91.92.242.236/files-129312398/files/file_54ac4f87020903c8.exe | offline | malware_download | 2026-06-02 |
hxxp://91.92.242.236/files-129312398/files/file_2d1724942d84955b.exe | offline | malware_download | 2026-06-02 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a URLhaus-listed URL as part of a patching process.
Filter/Exclusion: Exclude URLs matching update.microsoft.com or patch.example.com (replace with actual update servers used in the environment).
Scenario: Admin Task for Log Collection
Description: An admin task is configured to collect logs from remote servers using a URLhaus-listed URL for log aggregation.
Filter/Exclusion: Exclude URLs containing log-collector.example.com or logs.central.example.com (replace with actual log collection endpoints).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a URL tagged as malicious by URLhaus, but it’s part of a trusted artifact repository.
Filter/Exclusion: Exclude URLs containing artifactory.example.com or nexus.example.com (replace with actual artifact repositories used in the environment).
Scenario: Cloud Provider Configuration Sync
Description: A cloud provider (e.g., AWS, Azure) syncs configuration files using a URLhaus-listed URL for configuration management.
Filter/Exclusion: Exclude URLs containing config.aws.com or config.azure.com (replace with actual cloud configuration endpoints).
Scenario: Internal Monitoring Tool Data Fetch
Description: An internal monitoring tool (e.g., Prometheus, Grafana) fetches metrics from a URL tagged as malicious by URLhaus, but it’s a legitimate internal endpoint.
Filter/Exclusion: Exclude URLs containing metrics.internal.example.com or monitoring.example.com (replace with actual internal monitoring endpoints).