The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are associated with known malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://cdn.discordapp.com/attachments/1468318468066640095/1508156566145073306/porno.exe?ex=6a1483c1&is=6a133241&hm=2404f64778201a5dbd5a5c88603594bbed4f5b5768daf7fe4cc3073b2545f81a& | online | malware_download | 2026-05-25 |
hxxp://91.92.242.236/files-129312398/files/file_96624d70aef25b2e.exe | offline | malware_download | 2026-05-25 |
hxxp://91.92.242.236/files-129312398/files/file_aa3f5de9b1a43312.exe | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["cdn.discordapp.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["cdn.discordapp.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a known benign URL for validation purposes.
Filter/Exclusion: Exclude URLs that match the internal testing environment or known benign test URLs used during tool validation.
Scenario: A scheduled job for log collection is configured to download configuration files from a secure internal URL tagged with c2-monitor-auto for centralized logging.
Filter/Exclusion: Exclude URLs that belong to internal log collection services or are whitelisted in the enterprise’s URL filtering policy.
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins to fetch dependencies from a private artifact repository, which is mistakenly tagged with c2-monitor-auto in the URLhaus database.
Filter/Exclusion: Exclude URLs that are part of the organization’s internal CI/CD infrastructure or match known internal artifact repository endpoints.
Scenario: An IT admin is performing a system cleanup and is using a script to remove old logs, which temporarily generates a URL to a local log storage system tagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs that originate from internal log management systems or are associated with administrative cleanup tasks.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a scheduled update that pulls payloads from a secure internal server, which is incorrectly tagged with c2-monitor-auto.
Filter/Exclusion: Exclude URLs that are part of the enterprise’s internal security tool update infrastructure or match known internal update server endpoints.