The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally within the environment.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://222.141.43.192:52642/bin.sh | offline | malware_download | 2026-05-05 |
hxxp://119.109.211.168:60683/i | online | malware_download | 2026-05-05 |
hxxp://110.36.71.51:46164/i | offline | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["119.109.211.168"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["119.109.211.168"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known penetration testing domains (e.g., vulnweb.com, exploit-db.com) or use a custom list of approved test URLs.
Scenario: A scheduled job is configured to fetch updates from a third-party repository, which includes a URL flagged by URLhaus as malicious.
Filter/Exclusion: Exclude URLs that match known update or patch server domains (e.g., updates.examplecorp.com, repo.examplecorp.com) or use a whitelisted list of trusted update URLs.
Scenario: A user is accessing a legitimate phishing training page that mimics a malicious URL, which is falsely flagged by URLhaus.
Filter/Exclusion: Exclude URLs that match known phishing training domains (e.g., phishingtraining.example.com, trainingsite.org) or use a custom list of approved training URLs.
Scenario: A legitimate software update is being distributed via a URL that is incorrectly categorized as malicious by URLhaus.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., software.update.example.com, patch.example.com) or use a whitelisted list of trusted software update URLs.
Scenario: A system is configured to use a legitimate tool like wget or curl to download files from a URL that is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that match known command-line tool usage patterns (e.g., wget https://trusted-source.com/file) or use a rule based on the presence of legitimate command-line tools in the request context.