The hypothesis is that the detection identifies potential adversary activity involving the download or execution of malicious JAR files hosted on URLs listed in URLhaus, which are commonly used to distribute malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections that may evade traditional detection methods.
IOC Summary
Threat: jar Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://raw.githubusercontent.com/itachiccnts-collab/DonutHacks/main/gamble-rig%201.21.jar | online | malware_download | 2026-05-25 |
hxxps://raw.githubusercontent.com/jedibubub1/jedibubub/refs/heads/main/WizzyAddon1.21.11.jar | online | malware_download | 2026-05-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: jar
let malicious_domains = dynamic(["raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled Jenkins Build Job Downloading JAR Artifacts
Description: A legitimate CI/CD pipeline (e.g., Jenkins) may download JAR files from a known internal or external repository as part of a build process.
Filter/Exclusion: Check the source URL against a whitelist of approved artifact repositories (e.g., nexus.internal.company.com, maven.org). Use a filter like:
(url contains "nexus.internal.company.com" OR url contains "maven.org")Scenario: System Update via Windows Update or Microsoft Intune
Description: Windows Update or Intune might download JAR files as part of a system update or application deployment, especially in environments with custom or third-party tools.
Filter/Exclusion: Filter by the source IP or domain of the update server (e.g., update.microsoft.com, intune.microsoft.com). Use a filter like:
(src_ip is 10.0.0.0/8 OR url contains "update.microsoft.com")Scenario: Java Application Deployment via Ansible or Puppet
Description: Ansible or Puppet may transfer JAR files to remote hosts during application deployment, which could trigger the rule if the transfer involves a URL.
Filter/Exclusion: Filter by the source IP or by the presence of known deployment tools in the command line (e.g., ansible, puppet). Use a filter like:
(src_ip is 192.168.0.0/16 OR process contains "ansible" OR process contains "puppet")Scenario: Internal JAR Repository Access by Developers
Description: Developers may access an internal JAR repository (e.g., Artifactory) to