The hypothesis is that adversaries are using known malicious URLs from URLhaus to download malware into the network, leveraging compromised or phishing-based delivery methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware infections before they spread laterally or exfiltrate data.
IOC Summary
Threat: malware_download Total URLs: 11 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://107.172.235.213/img/optimized_MSI.png | online | malware_download | 2026-06-15 |
hxxp://107.172.172.205/25/optimized_MSI.png | offline | malware_download | 2026-06-15 |
hxxp://107.172.172.205/84/img_094508.png | offline | malware_download | 2026-06-15 |
hxxp://107.172.235.213/95/verygoodpersonhavingmybestchancestogivme.hta | offline | malware_download | 2026-06-15 |
hxxp://107.172.235.213/httpswww.bettercloud.commonitorthe-perils-of-expose-files-y-external-file-sharing-needs-security-prosess.php | offline | malware_download | 2026-06-15 |
hxxp://107.172.172.205/92/goodplacebestchoiceformebetterplacecoming.hta | offline | malware_download | 2026-06-15 |
hxxp://107.172.172.205/httpswww.gartner.comennewsroompress-releases2025-05-13-gartner-identifies-top-trends-shaping-the-future-of-cloud-o900.php | offline | malware_download | 2026-06-15 |
hxxp://107.172.172.205/84/goodthingshappenedsoonbro.htA | offline | malware_download | 2026-06-15 |
hxxp://107.172.172.205/httpsappexchange.salesforce.comappxListingDetaillistingId=a0N3A00000EFntJUN3A00000EFntJUN3A00000EFntJUN3A00000EFntT.php | offline | malware_download | 2026-06-15 |
hxxps://107.172.235.213/87/goodthingswithbetterworldcoming.htA | offline | malware_download | 2026-06-15 |
hxxp://107.172.235.213/httpswww.bettercloud.commonitorthe-perils-of-exposed-files-why-external-file-sharing-needs-security-prosess.php | offline | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["107.172.235.213"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["107.172.235.213"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Check
Description: A system administrator runs a scheduled task to check for and download the latest security updates from a trusted Microsoft server.
Filter/Exclusion: Exclude URLs matching https://download.microsoft.com or use a filter for URLs containing update and microsoft.com.
Scenario: Internal Software Repository Access
Description: Developers access an internal artifact repository (e.g., Nexus or Artifactory) to download build tools or dependencies.
Filter/Exclusion: Exclude URLs containing internal-repo.company.com or use a filter for URLs with artifactory or nexus in the domain.
Scenario: Admin Task for Log Collection
Description: An admin uses a tool like Logstash or Fluentd to collect logs from remote servers and downloads configuration files from a central server.
Filter/Exclusion: Exclude URLs containing logstash or fluentd in the path, or use a filter for URLs with config or logs in the query parameters.
Scenario: Cloud Backup Job Execution
Description: A cloud backup tool like Veeam or Commvault connects to a remote storage bucket to download backup archives.
Filter/Exclusion: Exclude URLs containing veeam.com or commvault.com, or use a filter for URLs with backup or restore in the path.
Scenario: Patch Management Tool Usage
Description: A patch management tool like Microsoft Endpoint Manager or Altiris downloads patches from a central patch server.
Filter/Exclusion: Exclude URLs containing endpointmanager.microsoft.com or altiris.net, or use a filter for URLs with patch or update in the path.