Adversaries may use malicious URLs hosting executable files to deliver payloads and establish initial access. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors before they lead to deeper network infiltration.
IOC Summary
Threat: exe Total URLs: 10 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://193.233.126.181:6767/Desktop.exe | online | malware_download | 2026-05-25 |
hxxp://193.233.126.181:6767/SysLog.exe | online | malware_download | 2026-05-25 |
hxxp://193.233.126.181:6767/syslog.vbs | offline | malware_download | 2026-05-25 |
hxxp://190.255.90.152/su.bat | online | malware_download | 2026-05-25 |
hxxp://45.38.143.219:6767/SysLog.exe | online | malware_download | 2026-05-25 |
hxxp://45.38.143.219:6767/Desktop.exe | online | malware_download | 2026-05-25 |
hxxp://190.255.90.152/su.js | online | malware_download | 2026-05-25 |
hxxp://190.255.90.152/SOS.exe | online | malware_download | 2026-05-25 |
hxxp://190.255.90.152/su.vbs | offline | malware_download | 2026-05-25 |
hxxp://45.38.143.219:6767/syslog.vbs | offline | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["193.233.126.181", "190.255.90.152", "45.38.143.219"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["193.233.126.181", "190.255.90.152", "45.38.143.219"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled task runs a Windows Update or system patching tool that downloads an .exe file from a known Microsoft or enterprise update server.
Filter/Exclusion: Exclude URLs matching *.update.microsoft.com, *.microsoft.com, or any enterprise internal update server domain.
Scenario: Software Deployment via SCCM
Description: A System Center Configuration Manager (SCCM) task deploys a software update or application package, which includes an .exe file downloaded from a trusted internal repository.
Filter/Exclusion: Exclude URLs containing sccm, internal-repo, or any enterprise software distribution server domain.
Scenario: Admin Tool Execution via PowerShell
Description: An administrator uses PowerShell to execute a trusted administrative tool (e.g., PSExec, PSTools, or WinRM) that requires downloading an .exe file from a secure internal endpoint.
Filter/Exclusion: Exclude URLs containing psexec, winrm, or any internal admin tool server domain.
Scenario: Antivirus Signature Update
Description: An endpoint protection solution (e.g., CrowdStrike, McAfee, or Microsoft Defender) updates its virus signature database, which may involve downloading an .exe file from a trusted vendor URL.
Filter/Exclusion: Exclude URLs containing crowdstrike.com, mcafee.com, or defender.microsoft.com.
Scenario: Internal Code Signing Tool Usage
Description: A developer uses an internal code signing tool (e.g., signtool.exe) to sign a legitimate application, which may involve temporary .exe file downloads from an internal artifact repository.
Filter/Exclusion: Exclude URLs containing artifact.repo, internal-signing, or any internal CI/CD tool