The detection identifies potential adversary activity involving three malicious URLs associated with the URLhaus tag d52f85, which are likely used for initial compromise or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they lead to deeper network infiltration.
IOC Summary
Threat: d52f85 Total URLs: 3 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.140/files/8611510537/5SwXPdA.exe | offline | malware_download | 2026-06-06 |
hxxp://62.60.226.140/files/5279938618/uGnRvhC.exe | offline | malware_download | 2026-06-06 |
hxxp://62.60.226.140/files/7782139129/TYolMs8.exe | offline | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: d52f85
let malicious_domains = dynamic(["62.60.226.140"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.140"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by visiting a known benign URL that matches the pattern of the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that match the internal testing domain (e.g., http://test-url-filtering.example.com/*) using a custom URL filter in the SIEM or EDR platform.
Scenario: A scheduled job runs a script that downloads a software update from a legitimate internal repository, which happens to have a URL structure similar to the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that contain the internal repository domain (e.g., https://artifactory.internalcorp.com/*) using a regex-based exclusion in the detection rule.
Scenario: A user is performing a security training exercise where they are instructed to visit a mock phishing URL that is flagged by the rule due to its similarity to known malicious URLs.
Filter/Exclusion: Exclude URLs that include the training domain (e.g., https://phishing-training.example.org/*) using a custom filter in the endpoint detection and response (EDR) tool.
Scenario: A DevOps team is deploying a new application using a CI/CD pipeline that generates temporary URLs for artifact downloads, which are flagged by the rule due to their format.
Filter/Exclusion: Exclude URLs that contain the CI/CD pipeline domain (e.g., https://ci-cd.pipeline.example.com/*) using a regex-based exclusion in the SIEM or EDR system.
Scenario: A system is running a legitimate tool like wget or curl to fetch a configuration file from a public CDN, which has a URL structure that matches the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that are sourced from known public CDNs (e.g., https://cdn.example.com/*) using a custom URL