The hypothesis is that the detected URLs are malicious lnk files used to deliver payloads, leveraging the URLhaus intelligence to identify potential compromise vectors. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage adversary activity before lateral movement or data exfiltration occurs.
IOC Summary
Threat: lnk Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://65.20.105.177:8080/cloud/Screenshot_25_05_2026.lnk | online | malware_download | 2026-05-27 |
hxxp://65.20.105.177:8080/cloud/712419111124.ocx | online | malware_download | 2026-05-27 |
hxxp://65.20.105.177:8080/cloud/mscom.ocx | online | malware_download | 2026-05-27 |
hxxp://65.20.105.177:8080/cloud/mscomctl.ocx | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: lnk
let malicious_domains = dynamic(["65.20.105.177"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["65.20.105.177"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a maintenance script that downloads a .lnk file as part of a system update or patching process.
Filter/Exclusion: Exclude URLs containing systemupdate, patch, or maintenance in the domain or path, or filter by the source IP of the internal patch server.
Scenario: Admin User Downloading a Known Safe .lnk File
Description: An admin user downloads a .lnk file from a trusted internal repository (e.g., a shared drive or a company-approved tool) for testing or documentation.
Filter/Exclusion: Exclude URLs containing internal, trusted, or repo in the domain, or filter by user account (e.g., admin or sysadmin).
Scenario: Logon Script Execution
Description: A logon script executed by Active Directory (e.g., using Group Policy) includes a .lnk file that launches a legitimate application or script.
Filter/Exclusion: Exclude URLs containing logon, gpresult, or group policy in the request, or filter by the source of the script (e.g., domain controller or GPO).
Scenario: Software Deployment via SCCM
Description: A Software Center (SCCM) deployment includes a .lnk shortcut that launches a legitimate application or installer.
Filter/Exclusion: Exclude URLs containing sccm, softwarecenter, or deployment in the path, or filter by the source IP of the SCCM server.
Scenario: User-Initiated Download of a Legacy .lnk Shortcut
Description: A user downloads a .lnk shortcut from a trusted website (e.g., Microsoft support or a company portal) to access a