The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into compromised environments. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.156.57.232:37983/i | online | malware_download | 2026-05-24 |
hxxp://123.11.9.175:58619/i | online | malware_download | 2026-05-24 |
hxxp://113.231.242.51:54564/bin.sh | online | malware_download | 2026-05-24 |
hxxp://123.11.9.175:58619/bin.sh | online | malware_download | 2026-05-24 |
hxxp://154.242.141.222:53861/i | online | malware_download | 2026-05-24 |
hxxp://154.242.141.222:53861/bin.sh | online | malware_download | 2026-05-24 |
hxxp://108.170.136.155:34374/bin.sh | online | malware_download | 2026-05-24 |
hxxp://108.170.136.155:34374/i | online | malware_download | 2026-05-24 |
hxxp://23.92.130.154:46582/i | online | malware_download | 2026-05-24 |
hxxp://23.92.130.154:46582/bin.sh | online | malware_download | 2026-05-24 |
hxxp://119.117.99.3:33496/bin.sh | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["108.170.136.155", "119.117.99.3", "219.156.57.232", "154.242.141.222", "113.231.242.51", "23.92.130.154", "123.11.9.175"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["108.170.136.155", "119.117.99.3", "219.156.57.232", "154.242.141.222", "113.231.242.51", "23.92.130.154", "123.11.9.175"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate system update process downloads a Microsoft-signed package from a known Microsoft URL, which may be flagged due to its similarity to malicious URLs.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or download.microsoft.com using a regex pattern like .*update\.microsoft\.com.* or .*download\.microsoft\.com.*.
Scenario: Admin Task: PowerShell Script Execution
Description: An administrator runs a PowerShell script that downloads a legitimate tool (e.g., choco install or scoop install) from a trusted source, which may be misclassified as malicious.
Filter/Exclusion: Exclude URLs containing chocolatey.org or scoop.sh using a regex pattern like .*chocolatey\.org.* or .*scoop\.sh.*.
Scenario: Log Management Tool Configuration
Description: A log management tool (e.g., Splunk, ELK Stack) is configured to download configuration files from a remote server, which may be flagged as a malicious download.
Filter/Exclusion: Exclude URLs containing splunk.com or elkstack.org using a regex pattern like .*splunk\.com.* or .*elkstack\.org.*.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads a build artifact from a private or public repository, which may be flagged due to the URL structure.
Filter/Exclusion: Exclude URLs containing github.com, gitlab.com, or jenkins.io using a regex pattern like .*github\.com.* or .*jenkins\.io.*.
Scenario: Antivirus Signature Update
Description: