The hunt hypothesis detects adversaries using ua-wget to download malicious payloads via URLs listed in URLhaus, indicating potential command and control or data exfiltration activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware execution and network compromise.
IOC Summary
Threat: ua-wget Total URLs: 12 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://31.58.87.160/bins/arm6 | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/x86 | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/sh4 | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/arm5 | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/ppc | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/mips | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/spc | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/m68k | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/arm | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/mpsl | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/arm7 | offline | malware_download | 2026-05-05 |
hxxp://31.58.87.160/bins/x86_64 | offline | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ua-wget
let malicious_domains = dynamic(["31.58.87.160"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["31.58.87.160"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System Update via wget
Description: A system administrator uses wget to download a legitimate update from a trusted repository.
Filter/Exclusion: process.name != "wget" OR process.args NOT LIKE '%update%' OR source_ip IN (trusted_update_servers)
Scenario: Scheduled Job for Log Collection
Description: A scheduled job runs wget to fetch log files from a remote server for centralized logging.
Filter/Exclusion: process.name != "wget" OR process.args NOT LIKE '%logs%' OR destination_ip IN (internal_logging_servers)
Scenario: Admin Task to Download Configuration Files
Description: An admin manually downloads configuration files from a secure internal server using wget.
Filter/Exclusion: process.name != "wget" OR process.args NOT LIKE '%config%' OR source_ip IN (internal_admin_servers)
Scenario: Automated Backup Tool Using wget
Description: A backup tool like rsnapshot or backuppc uses wget to retrieve backups from a remote server.
Filter/Exclusion: process.name != "wget" OR process.args NOT LIKE '%backup%' OR destination_ip IN (backup_servers)
Scenario: Internal Monitoring Tool Fetching Metrics
Description: An internal monitoring tool like Prometheus or Grafana uses wget to pull metrics from a local server.
Filter/Exclusion: process.name != "wget" OR process.args NOT LIKE '%metrics%' OR source_ip IN (internal_monitoring_servers)