The hypothesis is that the detected URLs are malicious payloads dropped by the Phorpiex malware, indicating potential command and control communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Phorpiex-based attacks before they cause significant damage.
IOC Summary
Threat: dropped-by-Phorpiex Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://178.16.54.109/n.exe | online | malware_download | 2026-06-04 |
hxxp://178.16.54.109/x.exe | online | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: dropped-by-Phorpiex
let malicious_domains = dynamic(["178.16.54.109"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["178.16.54.109"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Phorpiex malware is used in a red team exercise to simulate a real-world attack.
Filter/Exclusion: process.name != "Phorpiex" OR process.parent.name != "Phorpiex"
Note: Exclude known red team tools and simulate environments.
Scenario: A legitimate system management tool (e.g., PowerShell, Task Scheduler, or Ansible) is used to download a legitimate update or patch from a URL tagged as malicious by URLhaus.
Filter/Exclusion: process.name IN ("powershell.exe", "taskhostw.exe", "ansible") OR url.domain == "update.microsoft.com"
Note: Exclude known system management tools and trusted domains.
Scenario: A scheduled job (e.g., SQL Server Agent, Windows Task Scheduler, or cron job) is configured to fetch a legitimate configuration file from a URL that happens to be in the Phorpiex dropped list.
Filter/Exclusion: process.name IN ("sqlservr.exe", "scheventlog.exe", "taskeng.exe") OR url.path CONTAINS "/config"
Note: Exclude known job scheduling tools and specific file paths.
Scenario: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender, or Splunk) is performing a test or update that triggers a URL in the Phorpiex list.
Filter/Exclusion: process.name IN ("falcon.exe", "MsMpEng.exe", "splunkd") OR url.path CONTAINS "/update"
Note: Exclude known security tool processes and update paths.
Scenario: A developer is using a code repository (e.g., GitHub, GitLab, or Bitbucket) to clone a repository that includes a malicious URL