The hunt hypothesis detects adversaries using ua-wget to download malicious payloads from compromised URLs, leveraging URLhaus intelligence to identify potential command and control or data exfiltration channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware execution and lateral movement attempts.
IOC Summary
Threat: ua-wget Total URLs: 7 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://65.87.7.5/lll | offline | malware_download | 2026-04-18 |
hxxp://65.87.7.5/mpsl | offline | malware_download | 2026-04-18 |
hxxp://176.65.148.173/i686 | offline | malware_download | 2026-04-18 |
hxxp://176.65.148.173/arm5 | offline | malware_download | 2026-04-18 |
hxxp://176.65.148.173.ptr.pfcloud.network/i686 | offline | malware_download | 2026-04-18 |
hxxp://176.65.148.173.ptr.pfcloud.network/arm5 | offline | malware_download | 2026-04-18 |
hxxps://filebin.net/lowoyel91h576uav/cag54tgv8n | offline | malware_download | 2026-04-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ua-wget
let malicious_domains = dynamic(["65.87.7.5", "filebin.net", "176.65.148.173.ptr.pfcloud.network", "176.65.148.173"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["65.87.7.5", "filebin.net", "176.65.148.173.ptr.pfcloud.network", "176.65.148.173"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System Update Job Using wget
Description: A scheduled system update job uses wget to download a legitimate package from a known internal or public repository.
Filter/Exclusion: Exclude URLs matching internal update servers (e.g., internal-repo.example.com, updates.example.com) or known safe repositories (e.g., packages.debian.org, archive.ubuntu.com).
Scenario: Admin Task to Download Logs via wget
Description: An administrator manually runs a wget command to download logs from a remote server for troubleshooting.
Filter/Exclusion: Exclude URLs containing known admin log servers (e.g., logs.example.com, syslog.example.com) or use a user-based filter to exclude commands executed by admin accounts.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses wget to fetch build artifacts from a secure artifact repository.
Filter/Exclusion: Exclude URLs matching known CI/CD artifact hosts (e.g., artifacts.example.com, registry.example.com) or filter by process names like jenkins-agent or gitlab-runner.
Scenario: User-Initiated File Transfer via wget
Description: A user uses wget to download a file from a trusted external source (e.g., a public documentation site) for personal or work-related use.
Filter/Exclusion: Exclude URLs from whitelisted domains (e.g., docs.example.com, support.example.com) or filter by user context (e.g., [email protected]).
Scenario: Internal Tool for Data Aggregation
Description: An internal tool (e.g., data-aggregator) uses wget to pull data from a company-owned