URLhaus: sh Malicious URLs

Hunt Hypothesis

Adversaries may use malicious URLs from URLhaus to deliver payloads or exfiltrate data, leveraging compromised or phishing-linked domains. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.

IOC Summary

Threat: sh Total URLs: 2 Active URLs: 0

URL	Status	Threat	Date Added
`hxxp://45.13.186.32/o.xml`	offline	malware_download	2026-06-05
`hxxp://45.13.186.32/run.sh`	offline	malware_download	2026-06-05

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["45.13.186.32"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.13.186.32"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: A system administrator is using PowerShell to download a legitimate software update from a known secure URL.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.microsoft.com, *.download.microsoft.com, *.google.com).
Scenario: A scheduled job runs a PowerShell script to fetch data from a public API endpoint (e.g., https://api.example.com/data).
Filter/Exclusion: Exclude URLs containing /api/ or matching known internal or public API domains.
Scenario: A Windows Update task is executed via Task Scheduler to fetch updates from Microsoft Update servers.
Filter/Exclusion: Exclude URLs that start with https://download.microsoft.com or https://windowsupdate.microsoft.com.
Scenario: An IT support technician is using PsExec to remotely execute a script that accesses a company’s internal repository (e.g., https://repo.company.local).
Filter/Exclusion: Exclude URLs that contain internal domain names or match the company’s internal repository URL.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is pulling dependencies from a public package registry (e.g., https://registry.npmjs.org).
Filter/Exclusion: Exclude URLs that match known package registry domains or are associated with CI/CD tooling.