The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, leveraging Azure Sentinel to identify potential initial compromise vectors. SOC teams should proactively hunt for these URLs to detect and mitigate early-stage malware infections before they spread within the network.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://27.37.115.249:43421/i | online | malware_download | 2026-04-25 |
hxxp://42.231.93.100:60469/bin.sh | online | malware_download | 2026-04-25 |
hxxp://115.49.65.241:38418/bin.sh | online | malware_download | 2026-04-25 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["27.37.115.249", "115.49.65.241", "42.231.93.100"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.37.115.249", "115.49.65.241", "42.231.93.100"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a malware analysis sandbox setup.
Filter/Exclusion: Exclude URLs that match known sandboxing platforms like [Cuckoo Sandbox](https://www.cuckoo sandbox.org/) or Binary Defense.
Scenario: A scheduled job is running a security tool like Maltego or ThreatConnect to gather threat intelligence, which involves accessing URLs known to be associated with malicious activity.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence platforms or are part of automated intelligence gathering tools.
Scenario: A user is accessing a phishing URL that was previously flagged as malicious but has since been remediated or removed from the threat list.
Filter/Exclusion: Exclude URLs that are no longer active or have been marked as safe in the URLhaus database.
Scenario: A legitimate software update or patch is being downloaded from a known malicious-looking URL due to a misconfigured CDN or proxy.
Filter/Exclusion: Exclude URLs that match known software update servers like Microsoft Update or Red Hat Update Infrastructure.
Scenario: A system is running a legitimate security tool like CrowdStrike Falcon or Microsoft Defender for Endpoint, which may access URLs for signature updates or threat intelligence.
Filter/Exclusion: Exclude URLs that are part of known security tool update mechanisms or are associated with legitimate security vendors.