The hypothesis is that the detected malicious URLs are likely used by adversaries to establish command and control channels, leveraging the c2-monitor-auto tag to evade traditional detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and disrupt ongoing adversary operations before they cause significant damage.
IOC Summary
Threat: c2-monitor-auto Total URLs: 8 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://165.231.215.21/install.exe | online | malware_download | 2026-05-23 |
hxxps://tmpfiles.org/dl/wuwKgKCHFcSO/49.exe | online | malware_download | 2026-05-23 |
hxxp://91.92.242.236/files-129312398/files/file_7d9b4f2278093dda.exe | online | malware_download | 2026-05-23 |
hxxp://62.60.226.140/files/7453936223/4BtqZz1.exe | offline | malware_download | 2026-05-23 |
hxxp://91.92.242.236/files-129312398/files/file_203deff4b651a421.exe | offline | malware_download | 2026-05-23 |
hxxp://91.92.242.236/files-129312398/files/file_a02dac0bee89fdba.exe | offline | malware_download | 2026-05-23 |
hxxp://91.92.242.236/files-129312398/files/file_2e74ff26f42e77fb.exe | offline | malware_download | 2026-05-23 |
hxxp://91.92.242.236/files-129312398/files/file_e1c960b1c3f65886.exe | offline | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236", "165.231.215.21", "tmpfiles.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236", "165.231.215.21", "tmpfiles.org"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a URLhaus-listed URL as part of a patch distribution.
Filter/Exclusion: Exclude URLs matching known update servers (e.g., *.update.microsoft.com, *.download.nvidia.com) or use a filter like url contains "update" and not "malicious".
Scenario: Admin Task - Log Collection via Remote Server
Description: An admin uses a remote server to collect logs from multiple endpoints, and the server’s IP is flagged as a C2 by URLhaus.
Filter/Exclusion: Exclude URLs containing log-collector or logs in the path, or filter by source IP ranges used for internal log collection.
Scenario: Automated Patch Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) task deploys patches and uses a URLhaus-listed URL to fetch the update package.
Filter/Exclusion: Exclude URLs containing patch or update in the path, or filter by the SCCM server’s IP address.
Scenario: Internal Monitoring Tool Reporting
Description: An internal monitoring tool (e.g., Splunk, Datadog) sends data to a central server, and the reporting URL is flagged as malicious.
Filter/Exclusion: Exclude URLs containing reporting, metrics, or logs in the path, or filter by the internal monitoring tool’s known endpoints.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads a build artifact from a URL that is mistakenly listed in URLhaus.
Filter/Exclusion: Exclude URLs containing ci, cd, or artifact in the path, or filter by the