Adversaries may use GitHub-hosted malicious URLs to exfiltrate data or deploy payloads, leveraging the trust associated with GitHub repositories. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control channels or data exfiltration attempts.
IOC Summary
Threat: github Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://github.com/chromawashere/Security/releases/download/7/SystemCleaner.exe | online | malware_download | 2026-05-27 |
hxxps://github.com/chromawashere/Security/raw/refs/heads/main/SysDrive.exe | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: github
let malicious_domains = dynamic(["github.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["github.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using GitHub repositories
Filter/Exclusion: Exclude URLs that match known GitHub package managers or update scripts (e.g., https://github.com/organization/repo/releases/download/...)
Scenario: Scheduled backup job accessing GitHub for version control or artifact storage
Filter/Exclusion: Exclude URLs containing /backup/ or /artifacts/ in the path, or use a regex to match known backup-related GitHub paths
Scenario: Admin task using GitHub CLI to fetch configuration files or scripts
Filter/Exclusion: Exclude URLs that include github.com/cli/cli or github.com/organization/config in the domain/path
Scenario: CI/CD pipeline fetching dependencies from GitHub repositories
Filter/Exclusion: Exclude URLs that match GitHub Actions URLs (e.g., https://github.com/organization/repo/actions/runs/...) or include /actions/ in the path
Scenario: Developer using GitHub Pages to host static documentation or internal tools
Filter/Exclusion: Exclude URLs that include /docs/, /pages/, or /static/ in the path, or match known internal GitHub Pages domains