Adversaries may use malicious URLs tagged as opendir to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data exfiltration or C2 activities early.
IOC Summary
Threat: opendir Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://85.204.125.76/c.sh | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/wget.sh | offline | malware_download | 2026-05-23 |
hxxp://85.204.125.76/w.sh | offline | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: opendir
let malicious_domains = dynamic(["85.204.125.76"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["85.204.125.76"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job (e.g., Veeam Backup & Replication) runs a script that accesses a URL to download a backup template.
Filter/Exclusion: Exclude URLs containing backup, template, or veeam in the domain or path.
Scenario: Admin Task for Software Update
Description: An admin uses Chocolatey to install a package, which temporarily accesses a URL to fetch the package metadata.
Filter/Exclusion: Exclude URLs containing chocolatey, package, or metadata in the domain or path.
Scenario: Log Collection from External Service
Description: A log aggregation tool like Splunk or ELK Stack pulls logs from an external service (e.g., Loggly) using a URL.
Filter/Exclusion: Exclude URLs containing splunk, loggly, or elk in the domain or path.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) downloads a build artifact from a private registry or artifact server.
Filter/Exclusion: Exclude URLs containing jenkins, github, artifactory, or nexus in the domain or path.
Scenario: User-Initiated File Sync with Cloud Provider
Description: A user syncs files using a cloud sync tool like Dropbox or OneDrive, which may temporarily access URLs for metadata or sync status.
Filter/Exclusion: Exclude URLs containing dropbox, onedrive, or sync in the domain or path.