Adversaries may use malicious URLs tagged as opendir to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify potential data exfiltration or C2 activities early.
IOC Summary
Threat: opendir Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://172.86.110.98/img/kb/img_194735.png | online | malware_download | 2026-06-15 |
hxxp://82.223.139.167/img/img_165940.png | online | malware_download | 2026-06-15 |
hxxp://192.3.140.105/33/img_220818.png | online | malware_download | 2026-06-15 |
hxxp://209.54.103.155/img/img_160722.png | online | malware_download | 2026-06-15 |
hxxp://23.95.103.215/156/img_225642.png | online | malware_download | 2026-06-15 |
hxxp://172.86.110.98/img/img_023305.png | online | malware_download | 2026-06-15 |
hxxp://193.37.215.169/33/img_044256.png | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: opendir
let malicious_domains = dynamic(["193.37.215.169", "23.95.103.215", "192.3.140.105", "172.86.110.98", "209.54.103.155", "82.223.139.167"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["193.37.215.169", "23.95.103.215", "192.3.140.105", "172.86.110.98", "209.54.103.155", "82.223.139.167"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job using rsync or tar that generates temporary URLs for file transfer
Filter/Exclusion: Exclude URLs containing backup, rsync, or tar in the URL path or query parameters
Scenario: System update or patching process using wget or curl to download signed packages from a trusted repository
Filter/Exclusion: Exclude URLs that match known package repositories (e.g., apt, yum, dnf, or npm mirrors)
Scenario: Admin task using scp or sftp to transfer files between servers, which may involve temporary URLs for secure file transfer
Filter/Exclusion: Exclude URLs containing scp, sftp, or ssh in the URL path or query parameters
Scenario: Log management tool like Fluentd or Logstash using HTTP endpoints to ship logs to a centralized log server
Filter/Exclusion: Exclude URLs that match known log shipping endpoints or include terms like logs, logstash, or fluentd
Scenario: CI/CD pipeline using Jenkins or GitLab CI that generates temporary URLs for artifact distribution or job status tracking
Filter/Exclusion: Exclude URLs containing ci, cd, jenkins, gitlab, or artifacts in the URL path or query parameters