The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.142.244.164:39627/i | online | malware_download | 2026-04-24 |
hxxp://196.190.1.39:52936/bin.sh | online | malware_download | 2026-04-24 |
hxxps://use-claude.com/install.ps1 | offline | malware_download | 2026-04-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["196.190.1.39", "222.142.244.164"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["196.190.1.39", "222.142.244.164"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a malware analysis lab setup.
Filter/Exclusion: Exclude URLs that match known malware analysis lab domains (e.g., malwr.com, virusshare.com, urlhaus.org).
Scenario: A scheduled job is fetching updates from a legitimate enterprise repository that uses a URL similar to a known malicious pattern.
Filter/Exclusion: Exclude URLs containing specific enterprise domain names (e.g., internal-repo.corp.example.com) or matching a regex pattern for internal update servers.
Scenario: A user is accessing a phishing simulation URL that mimics a malicious URL used in a recent attack.
Filter/Exclusion: Exclude URLs that match the phishing simulation domain (e.g., phishsim.example.com) or are tagged with a specific simulation identifier.
Scenario: A security tool like CrowdStrike or Microsoft Defender is downloading a signature update from a known malicious-looking URL.
Filter/Exclusion: Exclude URLs that match known security tool update endpoints (e.g., signature-update.crowdstrike.com, download.microsoft.com).
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitLab CI to fetch a dependency from a public repository that contains a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known CI/CD tool artifact repositories (e.g., maven.org, npmjs.com, pypi.org) or are associated with specific project names.