The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, indicating potential initial compromise. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage threats before they escalate.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://112.248.185.196:54532/i | online | malware_download | 2026-04-19 |
hxxp://182.114.250.48:58215/i | online | malware_download | 2026-04-19 |
hxxp://182.114.250.48:58215/bin.sh | online | malware_download | 2026-04-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["112.248.185.196", "182.114.250.48"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["112.248.185.196", "182.114.250.48"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update or patch.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., *.update.microsoft.com, *.symantec.com, *.kaspersky.com).
Scenario: A scheduled job is configured to fetch malware samples from a sandboxing platform (e.g., Cuckoo Sandbox) for analysis.
Filter/Exclusion: Exclude URLs that contain the domain sandbox.org or cuckoo.sh and are associated with internal sandboxing infrastructure.
Scenario: A user is accessing a legitimate phishing detection URL (e.g., from a security awareness training platform) to report a phishing email.
Filter/Exclusion: Exclude URLs that match known phishing training domains (e.g., training.phishingawareness.com, secure-training.net).
Scenario: A DevOps pipeline is using a CI/CD tool (e.g., Jenkins, GitLab CI) to fetch dependencies from a public repository, which includes a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs that are part of known CI/CD toolchains (e.g., *.maven.org, *.npmjs.org, *.rubygems.org) or match internal artifact repositories.
Scenario: An internal tool is used to monitor and report on network traffic, and it periodically accesses a known monitoring URL (e.g., from a SIEM system).
Filter/Exclusion: Exclude URLs that match internal monitoring tools (e.g., *.splunk.com, *.logz.io, *.datadog.com) or are part of the organization’s internal monitoring infrastructure.