The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://117.254.177.144:55436/bin.sh | online | malware_download | 2026-03-19 |
hxxp://61.1.234.74:40806/i | online | malware_download | 2026-03-19 |
hxxp://61.1.234.74:40806/bin.sh | online | malware_download | 2026-03-19 |
hxxp://59.96.141.146:46669/i | online | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["59.96.141.146", "61.1.234.74", "117.254.177.144"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["59.96.141.146", "61.1.234.74", "117.254.177.144"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL to test a security tool or simulate an attack.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmalware.com, malicious-test-url.org) or use a custom field like url.tags: "security_test".
Scenario: A scheduled job is running a malware analysis tool that downloads payloads from a trusted internal repository for sandboxing.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or use a custom field like url.source: "internal_sandbox".
Scenario: A user is accessing a legitimate phishing training page that mimics a malicious URL to educate employees.
Filter/Exclusion: Exclude URLs that contain a specific training domain (e.g., phishing-training.example.com) or use a custom field like url.tags: "phishing_training".
Scenario: A system is downloading a legitimate software update from a known malicious-looking URL (e.g., a typo in the domain).
Filter/Exclusion: Exclude URLs that match known legitimate update servers (e.g., updates.example.com) or use a custom field like url.tags: "software_update".
Scenario: A DevOps pipeline is pulling a malicious artifact from a registry during a CI/CD build for testing purposes.
Filter/Exclusion: Exclude URLs that are part of a CI/CD pipeline (e.g., ci.example.com) or use a custom field like url.tags: "ci_cd_artifact".