The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, indicating potential initial compromise. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage malware deployment attempts before they cause widespread damage.
IOC Summary
Threat: malware_download Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://123.12.30.14:46894/i | online | malware_download | 2026-06-06 |
hxxp://123.12.30.14:46894/bin.sh | online | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["123.12.30.14"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["123.12.30.14"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update or patch.
Filter/Exclusion: Exclude URLs associated with known security tools (e.g., malware_download tagged URLs from reputable sources like Microsoft, Cisco, or Red Hat).
Scenario: A scheduled job is executing a script that fetches a URL from a legitimate internal repository to update configuration files.
Filter/Exclusion: Exclude URLs that match internal IP ranges or internal domain names (e.g., internal.company.com or 10.0.0.0/8).
Scenario: A user is accessing a phishing simulation URL hosted by the security team to test employee awareness.
Filter/Exclusion: Exclude URLs containing specific simulation domains (e.g., phishing-sim.company.com or test-phishing.link).
Scenario: A backup job is downloading a compressed file from a remote server using a URL that matches a known malicious pattern.
Filter/Exclusion: Exclude URLs that match backup-related domains (e.g., backup-service.company.com or backup-restore.link).
Scenario: A developer is using a CI/CD pipeline to fetch a dependency from a public repository, which is flagged due to a false positive in the URLhaus database.
Filter/Exclusion: Exclude URLs that match known package managers (e.g., npm, PyPI, or Maven) or repositories (e.g., npmjs.com, pypi.org).