The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally or exfiltrate data.
IOC Summary
Threat: malware_download Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://182.114.192.248:48384/bin.sh | online | malware_download | 2026-06-07 |
hxxp://42.180.39.77:49590/bin.sh | online | malware_download | 2026-06-07 |
hxxp://175.146.204.245:50287/i | online | malware_download | 2026-06-07 |
hxxp://60.22.86.235:35153/i | online | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["175.146.204.245", "60.22.86.235", "182.114.192.248", "42.180.39.77"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["175.146.204.245", "60.22.86.235", "182.114.192.248", "42.180.39.77"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL to test a security tool or perform a penetration test.
Filter/Exclusion: Exclude URLs that match known penetration testing tools (e.g., Metasploit, Cobalt Strike) or URLs associated with internal testing environments.
Scenario: A scheduled job is configured to download updates from a legitimate internal repository, which is mistakenly tagged as a malicious URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that match internal IP ranges or internal update servers (e.g., 10.0.0.0/8, 192.168.0.0/16).
Scenario: A user is accessing a phishing simulation URL hosted by a security training platform (e.g., KnowBe4, PhishMe) as part of a security awareness program.
Filter/Exclusion: Exclude URLs that contain known security training domains (e.g., knowbe4.com, phishme.com, spreedly.com).
Scenario: A system is downloading a legitimate software update from a trusted vendor (e.g., Microsoft, Adobe) that is falsely flagged in URLhaus.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., download.microsoft.com, adobe.com, nginx.org).
Scenario: A backup or synchronization job is using a cloud storage service (e.g., AWS S3, Google Cloud Storage) to transfer files, and the URL is flagged as malicious due to a misconfiguration.
Filter/Exclusion: Exclude URLs that match cloud storage endpoints (e.g., s3.amazonaws.com, storage.googleapis.com, blob.core.windows.net).