The hypothesis is that the detected URLs are associated with malicious shell scripts (sh) used by adversaries to execute arbitrary code and establish persistence. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control channels or initial compromise vectors.
IOC Summary
Threat: sh Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://static.210.112.105.178.clients.your-server.de/o.xml | online | malware_download | 2026-05-24 |
hxxp://178.105.112.210/o.xml | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["static.210.112.105.178.clients.your-server.de", "178.105.112.210"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["static.210.112.105.178.clients.your-server.de", "178.105.112.210"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe URL from the urlhaus database.
Filter/Exclusion: Exclude URLs that match the urlhaus database and are tagged as safe or benign.
Scenario: A scheduled job runs a script that downloads a legitimate update from a trusted source, which happens to be listed in the urlhaus database due to a false positive.
Filter/Exclusion: Exclude URLs that are associated with known update servers (e.g., updates.microsoft.com, download.docker.com) or use a domain filter to block known good domains.
Scenario: A developer is using a tool like curl or wget to fetch a public API endpoint that is mistakenly flagged by the rule due to a shared domain with a malicious URL.
Filter/Exclusion: Exclude traffic from specific command-line tools (curl, wget) or use a process.name filter to block these tools from triggering the rule.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender is performing a scheduled scan and generates a report that includes a URL from the urlhaus database as part of its analysis.
Filter/Exclusion: Exclude URLs that are associated with security tools or their telemetry endpoints (e.g., falcon-sensor, defender-scan).
Scenario: A DevOps pipeline uses Ansible or Jenkins to deploy code and includes a step that fetches a dependency from a repository that coincidentally matches a malicious URL in the urlhaus database.
Filter/Exclusion: Exclude URLs that are part of known CI/CD toolchains or use a process.name filter to block Ansible, Jenkins, or similar tools from triggering the rule.