Adversaries may use malicious URLs tagged as opendir to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data exfiltration or C2 activities early.
IOC Summary
Threat: opendir Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://85.239.151.41/utt.sh | online | malware_download | 2026-05-26 |
hxxp://85.239.151.41/toto.sh | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: opendir
let malicious_domains = dynamic(["85.239.151.41"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["85.239.151.41"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup job using rsync or tar that generates temporary files with URLs in the directory structure.
Filter/Exclusion: Exclude URLs containing /tmp/ or /var/backups/ and filter out any file operations involving rsync, tar, or backup in the command line.
Scenario: Admin manually checking system logs using less or tail and navigating through log files that contain URLs in the directory path.
Filter/Exclusion: Exclude URLs that appear in log files or commands involving less, tail, grep, or cat with log file paths like /var/log/.
Scenario: Automated deployment tool like Ansible or Chef executing scripts that reference internal URLs for configuration or artifact retrieval.
Filter/Exclusion: Exclude URLs that match internal domain names (e.g., internal.example.com) and filter out any activity involving Ansible, Chef, or deploy in the command line.
Scenario: User accessing a shared directory via smbclient or mount that includes a URL in the path due to legacy system integration.
Filter/Exclusion: Exclude URLs containing smb://, cifs://, or mount commands, and filter out access to network shares or UNC paths.
Scenario: Security tool like OSSEC or Snort generating alerts with internal URLs in the alert message or log file path.
Filter/Exclusion: Exclude URLs that appear in alert messages or log files from known security tools and filter out any activity involving OSSEC, Snort, or alert in the command line.