URLhaus: js Malicious URLs

Hunt Hypothesis

The hypothesis is that the detection identifies adversaries using JavaScript-based malicious URLs to deliver payloads, leveraging compromised or malicious websites to execute code on victim systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control channels or initial compromise vectors.

IOC Summary

Threat: js Total URLs: 14 Active URLs: 7

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: js
let malicious_domains = dynamic(["lodge-pilot-node-vegetables.trycloudflare.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["lodge-pilot-node-vegetables.trycloudflare.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

References

• URLhaus

False Positive Guidance

• Scenario: A system administrator is manually testing a JavaScript-based automation script that is known to be benign and is part of the company’s internal toolset.
  Filter/Exclusion: Exclude URLs that match known internal development tools (e.g., internal-automation-tool.js, devops-scripts.js) or use a domain filter to exclude internal domains like *.internal.company.com.

• Scenario: A scheduled job runs a JavaScript-based data processing script that fetches external JavaScript libraries from a legitimate CDN (e.g., https://cdn.jsdelivr.net/npm/).
  Filter/Exclusion: Exclude URLs that contain known CDN domains (e.g., cdn.jsdelivr.net, cdnjs.cloudflare.com, jsDelivr.net) or use a regex to filter out URLs that match CDN patterns.

• Scenario: A developer is using a JavaScript-based API testing tool (e.g., Postman) to simulate API requests, which may include JavaScript payloads for testing purposes.
  Filter/Exclusion: Exclude URLs that match the IP or domain of the internal testing tool (e.g., postman-integration-test.js) or filter by user-agent strings associated with testing tools.

• Scenario: A system is running a legitimate JavaScript-based monitoring tool (e.g., Grafana, Prometheus) that occasionally makes requests to external JavaScript endpoints for visualization.
  Filter/Exclusion: Exclude URLs that match known monitoring tool endpoints (e.g., grafana.com, prometheus.io) or filter by process names like grafana-server.exe or prometheus.exe.

• Scenario: A user is downloading a JavaScript-based package manager (e.g., npm) or a build tool (e.g., Webpack) from a trusted source, which may include JavaScript files during installation.
  Filter/Exclusion: Exclude URLs that match known package managers (e.g., npmjs.com, `registry.npmjs.org