The detection identifies potential adversary activity involving malicious URLs associated with the 54e64e tag, which may indicate a targeted compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they lead to broader network infiltration.
IOC Summary
Threat: 54e64e Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_e0d9fc225974f3bc.exe | online | malware_download | 2026-05-20 |
hxxp://91.92.242.236/files-129312398/files/file_a84633d24262c0c0.exe | online | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 54e64e
let malicious_domains = dynamic(["91.92.242.236"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by visiting a known safe URL that matches the pattern of the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or whitelisted by the endpoint protection tool (e.g., test-secure-endpoint.example.com).
Scenario: A scheduled job runs a script to download a software update from a trusted internal repository, which happens to use a URL format similar to the malicious URLs in the rule.
Filter/Exclusion: Exclude URLs that match internal update servers (e.g., https://updates.internal.company.com/*).
Scenario: A user is accessing a legitimate phishing training page that mimics a malicious URL structure as part of a security awareness program.
Filter/Exclusion: Exclude URLs containing known training domains (e.g., https://phishing-training.example.com/*).
Scenario: A DevOps pipeline is executing a CI/CD job that uses a temporary URL for artifact distribution, which coincidentally matches the malicious URL pattern.
Filter/Exclusion: Exclude URLs that are part of CI/CD artifact repositories (e.g., https://artifactory.example.com/*).
Scenario: A system is running a legitimate security tool that periodically checks for updates, and the update server URL matches the malicious URL pattern in the rule.
Filter/Exclusion: Exclude URLs associated with known security tools (e.g., https://updates.malwarebytes.com/*).