The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally or exfiltrate data.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://27.44.147.187:43421/i | online | malware_download | 2026-05-31 |
hxxp://125.47.35.203:57780/bin.sh | offline | malware_download | 2026-05-31 |
hxxp://42.227.136.179:54892/bin.sh | offline | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["27.44.147.187"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["27.44.147.187"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update or patch.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., updates.microsoft.com, download.mozilla.org).
Scenario: A scheduled job is configured to fetch malware samples from a sandboxing platform (e.g., Cuckoo Sandbox) for analysis.
Filter/Exclusion: Exclude URLs that contain the domain sandboxed.malwareanalysis.com or similar sandboxing service domains.
Scenario: An IT admin is using a legitimate tool like wget or curl to download a configuration file from an internal repository (e.g., internal-repo.example.com).
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or internal domain names (e.g., *.internal.example.com).
Scenario: A user is accessing a legitimate phishing training page hosted by a security vendor (e.g., KnowBe4) to simulate phishing attacks.
Filter/Exclusion: Exclude URLs that contain the domain knowbe4.com or similar phishing training domains.
Scenario: A system is running a legitimate automated script that downloads a malware analysis tool (e.g., virustotal.com) for threat intelligence purposes.
Filter/Exclusion: Exclude URLs that match the domain virustotal.com or include query parameters like apikey=....