The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and contain potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 4 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://scoala1gherla.ro/wp-admin/css/colors/oceans/Ebu.exe | online | malware_download | 2026-06-13 |
hxxp://portwesl.com/MSI.png | offline | malware_download | 2026-06-13 |
hxxps://r2.image-upload.app/tyImg/16neTMIsP.png | offline | malware_download | 2026-06-13 |
hxxp://107.172.172.205/25/seethebestpersonievermadewithmybestdays.hta | offline | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["scoala1gherla.ro"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["scoala1gherla.ro"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmaliciousurl.com, vulnscan.org) or use a field like url contains "security-test".
Scenario: A scheduled job is running a malware analysis tool that downloads payloads from a sandboxed environment (e.g., Cuckoo Sandbox or Joe Sandbox) for analysis.
Filter/Exclusion: Exclude URLs that contain sandbox-specific domains (e.g., sandboxed.io, cuckoo sandbox) or use a field like url contains "sandbox".
Scenario: A legitimate system update or patch is being downloaded from a trusted source (e.g., Microsoft Update, Adobe Update) but the URL is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., update.microsoft.com, download.adobe.com) or use a field like url contains "update".
Scenario: A user is accessing a phishing simulation URL deployed by the security team as part of a training exercise (e.g., using a tool like PhishLabs or KnowBe4).
Filter/Exclusion: Exclude URLs that match internal phishing simulation domains (e.g., phishsim.example.com, training.phishinglab.net) or use a field like url contains "phishsim".
Scenario: A backup or archive tool (e.g., Veeam, Acronis) is downloading a compressed file from a remote server, and the file is mistakenly identified as a malicious URL.
Filter/Exclusion: Exclude URLs that match known backup server domains (e.g., backup.example.com, archive.enterprise.net) or use a field like url contains "backup".