The hypothesis is that the detected URLs are malicious shell scripts designed to execute arbitrary commands on compromised systems. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control activities or data exfiltration attempts.
IOC Summary
Threat: sh Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.135.193.114/run.sh | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/O.sh | online | malware_download | 2026-04-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["45.135.193.114", "176.65.139.115"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.135.193.114", "176.65.139.115"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service using a known safe URL from the sh category for internal documentation.
Filter/Exclusion: Exclude URLs that match the internal documentation domain (e.g., internal-docs.example.com) or use a tag like safe-testing.
Scenario: A scheduled job runs a script that downloads a legitimate update from a trusted source, which happens to be tagged as sh in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the known update server (e.g., updates.example.com) or use a tag like trusted-update.
Scenario: A developer is using a CI/CD pipeline to deploy code, and the pipeline includes a step that fetches a script from a public repository, which is mistakenly tagged as sh in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the CI/CD tool’s artifact repository (e.g., artifactory.example.com) or use a tag like ci-cd.
Scenario: An IT team is performing a system cleanup and uses a script to remove old logs, which includes a URL to a log storage service that is incorrectly tagged as sh.
Filter/Exclusion: Exclude URLs that match the log storage domain (e.g., logs.example.com) or use a tag like log-rotation.
Scenario: A user is accessing a legitimate internal portal that uses a short URL for internal navigation, and the portal’s URL is tagged as sh due to a misclassification.
Filter/Exclusion: Exclude URLs that match the internal portal domain (e.g., portal.example.com) or use a tag like internal-portal.