Adversaries may be using malicious HTA files hosted on compromised or command-and-control servers to execute payloads and establish persistence. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and exfiltration of sensitive data.
IOC Summary
Threat: hta Total URLs: 13 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://172.245.209.253/202/ecc/goodcreationsforbestfamilypeoples.hta | online | malware_download | 2026-06-15 |
hxxp://107.172.135.60/97/goodthingsarebestforbesttihignstocome.hta | offline | malware_download | 2026-06-15 |
hxxp://107.172.135.60/96/ibredgoodforbestthingscomingbackform.hta | offline | malware_download | 2026-06-15 |
hxxp://172.245.209.169/154/goodchoiceforbetterplacingconvencingthebesttreatments.hta | offline | malware_download | 2026-06-15 |
hxxp://107.172.135.8/123/evc/greatindianthingsareperfectforbest.hta | online | malware_download | 2026-06-15 |
hxxp://82.223.139.167/221/givenbestthingsforbetterplacegoodcoming.hta | offline | malware_download | 2026-06-15 |
hxxp://172.86.110.98/img/kb/verygoodperformancethingsarecominginthisnewthingsinside.hta | offline | malware_download | 2026-06-15 |
hxxp://209.54.103.155/46/givemebestthignsbackfromthisbusiness.hta | offline | malware_download | 2026-06-15 |
hxxp://198.23.144.116/40/imacomingthisweekinthrforbestgoodthings.hta | offline | malware_download | 2026-06-15 |
hxxp://192.3.140.105/33/goodthingsarebesttogetbetterthingsfrome.hta | offline | malware_download | 2026-06-15 |
hxxp://23.95.103.215/156/notimefordothatallbrotherherewiatingalot.hta | offline | malware_download | 2026-06-15 |
hxxp://193.37.215.169/33/verygreatthingsaregoingaroundonmethings.hta | offline | malware_download | 2026-06-15 |
hxxp://172.86.110.98/121/goodreangewithbestthignsaroundonmyself.hta | offline | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: hta
let malicious_domains = dynamic(["172.245.209.253", "107.172.135.8"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.245.209.253", "107.172.135.8"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a Windows Update or patching tool that downloads an HTA file as part of the update process.
Filter/Exclusion: Exclude URLs containing windowsupdate.com, update.microsoft.com, or patchingtool.exe in the request path.
Scenario: Admin Task - HTA-based Reporting Tool
Description: An enterprise admin uses a custom HTA-based reporting tool to generate system health reports, which includes a legitimate HTA file hosted internally.
Filter/Exclusion: Exclude URLs from internal IP ranges (e.g., 10.0.0.0/8) or domains like internal.reporting.tools.
Scenario: Malware Analysis Lab Environment
Description: A security team is testing a malicious HTA file in a sandboxed environment, which triggers the rule due to the HTA file being hosted on a test server.
Filter/Exclusion: Exclude URLs containing sandbox, malwarelab, or test.hta in the file path.
Scenario: PowerShell Script with HTA Output
Description: A PowerShell script generates an HTA file for user interaction (e.g., for a GUI-based script interface), which is then hosted temporarily on an internal server.
Filter/Exclusion: Exclude URLs containing powershell.hta, script-output.hta, or from internal DNS names like scriptserver.local.
Scenario: Third-Party Software Installer
Description: A legitimate third-party software installer uses an HTA file for user consent or configuration, and the installer is hosted on a trusted CDN.
Filter/Exclusion: Exclude URLs containing softwareinstaller.hta, trustedcdn.com, or installer.hta in the file path.