The detection identifies potential adversary activity involving known malicious URLs sourced from Censys, which could be used for phishing, credential theft, or initial compromise. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: censys Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnpowerpcxnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxni386xnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnsh4xnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnmipsxnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnriscv64xnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnm68kxnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnarmxnxn | online | malware_download | 2026-06-11 |
hxxp://45.137.198.245/all.sh | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnx86_64xnxn | online | malware_download | 2026-06-11 |
hxxp://45.13.186.32/bins/xnxnxnxnxnxnxnxnaarch64xnxn | online | malware_download | 2026-06-11 |
hxxp://45.137.198.245/huhu/titanjr.x86_64 | online | malware_download | 2026-06-11 |
hxxp://45.137.198.245/huhu/titanjr.arm7 | online | malware_download | 2026-06-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: censys
let malicious_domains = dynamic(["45.13.186.32", "45.137.198.245"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.13.186.32", "45.137.198.245"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new security tool by accessing a known benign URL from the Censys database for validation purposes.
Filter/Exclusion: Exclude URLs that match the Censys benign URL list or are tagged with a “test” or “validation” label in the URLhaus database.
Scenario: A scheduled job runs a script that fetches and processes public Censys data for compliance reporting, inadvertently triggering the rule.
Filter/Exclusion: Exclude URLs that are part of a known compliance or reporting tool (e.g., censys.io endpoints used by internal compliance systems) or add a process name filter for the job runner (e.g., compliance-reporting.sh).
Scenario: A developer is using a CI/CD pipeline to fetch and analyze Censys data for security research, which includes some URLs flagged as malicious by the rule.
Filter/Exclusion: Exclude URLs accessed by processes related to CI/CD tools like Jenkins, GitLab CI, or GitHub Actions, or add a user or group filter for the development team.
Scenario: A system is running a third-party security tool that periodically queries Censys for known malicious domains, causing the rule to trigger.
Filter/Exclusion: Exclude URLs that are part of the Censys API or known security tool integration endpoints (e.g., censys.io/api/v1), or add a process name filter for the security tool (e.g., censys-integration.exe).
Scenario: An internal tool is used to monitor and report on Censys data for internal threat intelligence, which includes some URLs flagged as malicious.
Filter/Exclusion: Exclude URLs that are part of the internal threat intelligence tool’s known good list or add a source IP filter for the internal monitoring system.