The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and neutralize potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.138.135.208:60578/i | online | malware_download | 2026-06-19 |
hxxp://120.28.76.69:55361/i | online | malware_download | 2026-06-19 |
hxxp://42.233.105.9:48792/i | online | malware_download | 2026-06-19 |
hxxp://42.233.105.9:48792/bin.sh | online | malware_download | 2026-06-19 |
hxxp://93.157.253.209:45004/i | online | malware_download | 2026-06-19 |
hxxp://93.157.253.209:45004/bin.sh | online | malware_download | 2026-06-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["93.157.253.209", "222.138.135.208", "42.233.105.9", "120.28.76.69"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["93.157.253.209", "222.138.135.208", "42.233.105.9", "120.28.76.69"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate scheduled task runs Microsoft Update, which may download payloads from Microsoft’s servers.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the URL field.
Scenario: Admin Task Using PowerShell for Configuration Management
Description: An administrator uses PowerShell scripts to configure systems, which may temporarily download files from internal repositories.
Filter/Exclusion: Exclude URLs containing internal.repository or intranet in the domain portion of the URL.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads build artifacts from a secure internal or external repository.
Filter/Exclusion: Exclude URLs containing ci-cd, artifactory, or github.com (if known to be safe in the environment).
Scenario: Malware Analysis Lab Environment
Description: A security team uses a sandboxed environment to analyze malware, which may involve downloading known malicious files for testing.
Filter/Exclusion: Exclude URLs containing sandbox, malwareanalysis, or threatintel in the URL path.
Scenario: Email Client Fetching Attachments from Internal Server
Description: An email client (e.g., Microsoft Outlook) fetches attachments from an internal file server, which may be flagged due to the use of a suspicious-looking URL format.
Filter/Exclusion: Exclude URLs containing fileserver, internal.drive, or intranet in the domain portion of the URL.