The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally or exfiltrate data.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://server-830796.thatserver.com/3kjE | offline | malware_download | 2026-06-26 |
hxxp://113.10.155.239:45016/i | online | malware_download | 2026-06-26 |
hxxp://113.10.155.239:45016/bin.sh | online | malware_download | 2026-06-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["113.10.155.239"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["113.10.155.239"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known penetration testing domains (e.g., vulnweb.com, exploit-db.com) or include a custom field like is_pentest: true.
Scenario: A scheduled job is running a malware analysis tool that downloads payloads from a sandboxed environment (e.g., Cuckoo Sandbox or Joe Sandbox).
Filter/Exclusion: Exclude URLs that contain sandbox-specific domains (e.g., sandboxed.io, cuckoo.net) or include a tag like sandboxed: yes.
Scenario: A user is accessing a legitimate security tool or update server (e.g., Microsoft Update, Symantec Endpoint Protection) that temporarily uses a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known enterprise update servers or include a field like is_update_server: true.
Scenario: A system is performing a network scan using a tool like nmap or Masscan, which may trigger URLs associated with scanning activities.
Filter/Exclusion: Exclude URLs that contain nmap.org, masscan.io, or any known scanning tool domains, or include a tag like network_scan: true.
Scenario: A backup or sync job (e.g., using rsync, SyncToy, or Veeam) is transferring files over HTTP, which may result in URLs flagged as malicious due to their structure.
Filter/Exclusion: Exclude URLs that include paths like /backup/, /sync/, or any known backup tool-specific endpoints, or include a tag like backup_job: true.