The detection identifies potential adversary activity involving malicious URLs associated with a remote access trojan, indicating an ongoing compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage ransomware attacks before they escalate.
IOC Summary
Threat: rat Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://canigrup.top/img_140606.png | offline | malware_download | 2026-06-09 |
hxxps://canigrup.top/optimized_MSI.png | offline | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: rat
let malicious_domains = dynamic(["canigrup.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["canigrup.top"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by accessing a known safe URL from URLhaus for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus database and are tagged as “safe” or “benign” during testing activities.
Scenario: A scheduled job runs a script that fetches and processes URLs from a legitimate threat intelligence feed (e.g., URLhaus) to update internal security databases.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence feed or are tagged as “safe” in the URLhaus database.
Scenario: A user is accessing a legitimate internal URL that is mistakenly listed in URLhaus due to a false positive or outdated data.
Filter/Exclusion: Exclude URLs that match internal domain names or are whitelisted in the enterprise’s URL filtering policy.
Scenario: A security tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) is performing a scheduled scan and reports a URL from URLhaus as a potential RAT.
Filter/Exclusion: Exclude URLs that are part of the tool’s own internal database or are known to be part of legitimate security operations.
Scenario: A developer is using a CI/CD pipeline that includes a script to fetch and validate URLs from URLhaus for automated testing.
Filter/Exclusion: Exclude URLs that are part of CI/CD infrastructure or are tagged as “safe” in the URLhaus database.