Adversaries may use malicious URLs tagged as opendir to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify potential data exfiltration or C2 activities early.
IOC Summary
Threat: opendir Total URLs: 6 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://we.love.servers.at.ioflood.net/hold.bat | offline | malware_download | 2026-05-28 |
hxxps://we.love.servers.at.ioflood.net/hold.js | offline | malware_download | 2026-05-28 |
hxxps://we.love.servers.at.ioflood.net/hold.vbs | offline | malware_download | 2026-05-28 |
hxxps://148.163.124.99/hold.bat | online | malware_download | 2026-05-28 |
hxxps://148.163.124.99/hold.js | online | malware_download | 2026-05-28 |
hxxps://148.163.124.99/hold.vbs | offline | malware_download | 2026-05-28 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: opendir
let malicious_domains = dynamic(["148.163.124.99"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["148.163.124.99"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually checking the contents of a directory using the opendir() function in a script to troubleshoot a file access issue.
Filter/Exclusion: Exclude processes initiated by system administrators using sudo or runas with known admin tools like rsync, find, or ls.
Scenario: A scheduled job runs a backup script that uses opendir() to traverse directories and archive files.
Filter/Exclusion: Exclude processes associated with backup tools like rsnapshot, backuppc, or borgbackup that are configured to run at specific intervals.
Scenario: A developer is testing a web application that uses opendir() to dynamically load resources from a local directory.
Filter/Exclusion: Exclude processes related to development tools like webpack, npm, or docker that are running in a development environment with known safe directories.
Scenario: A security tool or SIEM system is configured to monitor directory access for audit purposes, using opendir() to log file system activity.
Filter/Exclusion: Exclude processes related to security tools like Splunk, ELK Stack, or OSSEC that are known to perform directory traversal for logging or monitoring.
Scenario: A DevOps pipeline uses opendir() to check for the presence of build artifacts in a staging directory before deployment.
Filter/Exclusion: Exclude processes associated with CI/CD tools like Jenkins, GitLab CI, or GitHub Actions that are executing known safe scripts in a controlled environment.