The hypothesis is that the detected URLs are likely malicious shell scripts designed to execute arbitrary commands on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control activities or data exfiltration attempts.
IOC Summary
Threat: sh Total URLs: 2 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://152.236.3.29/areyouajew.sh | online | malware_download | 2026-06-13 |
hxxp://162.248.101.153/n2/telnet | offline | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["152.236.3.29"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["152.236.3.29"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update scheduled job downloads a legitimate script from a known URLhaus domain
Filter/Exclusion: Exclude URLs matching https://urlhaus.abuse.ch or any known URLhaus domains used for benign system updates.
Scenario: Admin uses wget to manually download a script from a URLhaus entry for testing purposes
Filter/Exclusion: Exclude processes initiated by the root user or processes with command lines containing --test or --dry-run.
Scenario: A CI/CD pipeline fetches a dependency from a URLhaus-listed repository during a build
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., https://artifactory.example.com, https://nexus.example.com) or processes associated with Jenkins, GitLab CI, or GitHub Actions.
Scenario: A user clicks on a phishing link that redirects to a URLhaus-listed domain (false positive due to user error)
Filter/Exclusion: Exclude URLs containing phishing or malicious in their path, or filter by user-agent strings associated with browser-based phishing attempts.
Scenario: A legitimate security tool like Cobalt Strike or Metasploit uses a URLhaus entry as part of a red team exercise
Filter/Exclusion: Exclude processes that match known red team tools (e.g., cobaltstrike, metasploit, msfcli) or those running under a red team user account.