The hypothesis is that the detected URLs are malicious payloads dropped by the Phorpiex malware, indicating potential command and control communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Phorpiex-based attacks before they cause significant damage.
IOC Summary
Threat: dropped-by-Phorpiex Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://130.12.180.190/15/a | online | malware_download | 2026-05-22 |
hxxp://178.16.54.109/15.exe | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: dropped-by-Phorpiex
let malicious_domains = dynamic(["178.16.54.109", "130.12.180.190"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["178.16.54.109", "130.12.180.190"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Phorpiex malware is used in a red team exercise to simulate a real-world attack.
Filter/Exclusion: Check the source IP against a list of internal red team IP ranges or use a src_ip filter to exclude known red team infrastructure.
Scenario: A legitimate system management tool (e.g., PowerShell or Task Scheduler) is used to execute a script that downloads a URL tagged as dropped-by-Phorpiex as part of a patching or configuration update.
Filter/Exclusion: Use a process_name filter to exclude known system management tools like powershell.exe or schtasks.exe.
Scenario: A scheduled job (e.g., SQL Server Agent Job) runs a script that downloads a file from a URL flagged by the rule, as part of a data migration or backup process.
Filter/Exclusion: Use a process_name filter to exclude sqlservr.exe or sqlagent.exe, or check the command_line for known backup or migration tasks.
Scenario: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) is performing a test or update that involves downloading a URL flagged by the rule.
Filter/Exclusion: Use a process_name filter to exclude the security tool’s executable, or check the parent_process to identify known security tool processes.
Scenario: An admin is manually testing a detection rule by triggering a known malicious URL in a controlled environment.
Filter/Exclusion: Use a user filter to exclude admin accounts or use a destination_ip filter to exclude internal testing environments.