The hypothesis is that the detected URLs are likely malicious executable files used by adversaries to deliver payloads and compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: exe Total URLs: 2 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://science4u.co.in/3.exe | offline | malware_download | 2026-06-04 |
hxxps://science4u.co.in/144.exe | online | malware_download | 2026-06-04 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["science4u.co.in"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["science4u.co.in"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate .exe file from the Microsoft Update website to install a critical security patch.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.microsoft.com in the URL field.
Scenario: A scheduled job is running a legitimate software update tool like Chocolatey or WSUS to deploy updates across the network.
Filter/Exclusion: Exclude URLs containing chocolatey.org or wsus in the URL field, or filter by process name like choco.exe or wsusutil.exe.
Scenario: A developer is using a build tool like npm or Maven to download a dependency that includes an .exe file for Windows compatibility.
Filter/Exclusion: Exclude URLs containing npmjs.com, maven.org, or any known package manager domains, or filter by process name like npm.exe or mvn.exe.
Scenario: A user is accessing a legitimate internal repository or file server that hosts .exe files for internal tools, such as PowerShell scripts or custom utilities.
Filter/Exclusion: Exclude URLs containing internal domain names (e.g., internal.research.corp) or filter by source IP ranges used by internal servers.
Scenario: A system is running a legitimate remote management tool like PsExec or WinRM to execute commands on remote machines.
Filter/Exclusion: Exclude URLs containing psexec.exe, winrm, or any known remote execution tool identifiers, or filter by process name or command-line arguments.