The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally within the environment.
IOC Summary
Threat: malware_download Total URLs: 6 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://42.57.203.242:47169/i | online | malware_download | 2026-06-01 |
hxxp://175.175.34.119:57795/i | online | malware_download | 2026-06-01 |
hxxp://110.39.226.207:54371/bin.sh | offline | malware_download | 2026-06-01 |
hxxp://34.181.210.37/meowarm64 | offline | malware_download | 2026-06-01 |
hxxp://34.181.210.37/meow | offline | malware_download | 2026-06-01 |
hxxp://175.175.34.119:57795/bin.sh | offline | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["175.175.34.119", "42.57.203.242"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["175.175.34.119", "42.57.203.242"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a known malicious URL as part of a system update or patching process.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., https://updates.microsoft.com, https://dl.google.com/linux).
Scenario: Admin Access Token Renewal
Description: An admin manually renews an access token using a URL that is flagged as malicious by the detection rule.
Filter/Exclusion: Exclude URLs containing /token/renew or similar endpoints used by identity providers (e.g., Azure AD, Okta).
Scenario: Log Collection from SIEM System
Description: A log collection agent (e.g., Splunk, ELK) connects to a SIEM system using a URL that is incorrectly tagged as malicious.
Filter/Exclusion: Exclude URLs that match the SIEM system’s internal IP or domain (e.g., https://splunk.local).
Scenario: Cloud Backup Job Execution
Description: A cloud backup tool (e.g., Veeam, Commvault) temporarily uses a URL to download a backup script or configuration file.
Filter/Exclusion: Exclude URLs containing /backup/script or that match known backup tool domains.
Scenario: Internal DevOps Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from an internal repository using a URL that is falsely flagged.
Filter/Exclusion: Exclude URLs that match internal artifact repositories (e.g., https://artifactory.internal.company.com).