The hypothesis is that the detected URLs are malicious executable files used by adversaries to deliver payloads and establish initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of endpoints and networks.
IOC Summary
Threat: exe Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://20.96.177.238:81/share/OfficeClickToRun.exe | online | malware_download | 2026-05-27 |
hxxp://13.36.168.159/cv/msedge.exe | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["13.36.168.159", "20.96.177.238"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["13.36.168.159", "20.96.177.238"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate .exe file from a trusted source (e.g., Microsoft Update) as part of a routine patch deployment.
Filter/Exclusion: Exclude URLs that match known Microsoft update servers (e.g., *.update.microsoft.com, *.download.microsoft.com) or use a custom list of trusted internal/external URLs for software updates.
Scenario: A scheduled job runs a script that downloads a .exe file from an internal repository (e.g., Artifactory or Nexus) to deploy a configuration update.
Filter/Exclusion: Exclude URLs that originate from internal artifact repositories (e.g., artifactory.example.com, nexus.example.com) or use a whitelisted domain list for internal tooling.
Scenario: A user is running a legitimate security tool (e.g., Malwarebytes, Bitdefender) that requires downloading an .exe file for an update or scan.
Filter/Exclusion: Exclude URLs that match known security tool update servers (e.g., *.malwarebytes.com, *.bitdefender.com) or use a whitelist of allowed security software update domains.
Scenario: A DevOps pipeline is executing a CI/CD job that downloads a .exe file from a public repository (e.g., GitHub Actions) to run a test or build script.
Filter/Exclusion: Exclude URLs that match GitHub Actions endpoints (e.g., github.com/actions) or use a whitelist of known CI/CD tooling URLs.
Scenario: A system is running a legitimate remote desktop tool (e.g., Microsoft Remote Desktop, TeamViewer) that requires downloading an .exe file for a remote session.
Filter/Exclusion: Exclude URLs that match known remote access tool vendors (e.g., *.microsoft.com/rdp, *.teamviewer.com) or