Adversaries may use adb-related malicious URLs to exfiltrate data or establish command and control channels, leveraging compromised endpoints to move laterally within a network. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data exfiltration and C2 activities early.
IOC Summary
Threat: adb Total URLs: 15 Active URLs: 15
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://89.32.41.16/bins/x86_64 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/spc | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/arm7 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/i686 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/sh4 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/arm4 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/arm5 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/i486 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/arm6 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/ppc | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/arc | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/mpsl | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/x86 | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/mips | online | malware_download | 2026-05-22 |
hxxp://89.32.41.16/bins/m68k | online | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: adb
let malicious_domains = dynamic(["89.32.41.16"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["89.32.41.16"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by accessing a known benign URL from the URLhaus database for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus database and are tagged as adb but are known to be used in security testing or validation.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a URL tagged as adb in URLhaus, but is actually a trusted source.
Filter/Exclusion: Exclude URLs that originate from known trusted update servers (e.g., download.microsoft.com, updates.symantec.com) or match a whitelist of allowed update URLs.
Scenario: A user is accessing a URL that is part of a legitimate administrative task, such as a remote management tool (e.g., psexec, winrm) that is used for system administration.
Filter/Exclusion: Exclude URLs that are associated with known administrative tools (e.g., psexec, winrm, schtasks) or are part of a whitelisted administrative task.
Scenario: A security analyst is using a tool like OSSEC or Splunk to query a URL from the URLhaus database for analysis, which is flagged as adb but is part of a legitimate investigation.
Filter/Exclusion: Exclude URLs that are part of a security analysis workflow and are explicitly marked as benign or used for threat intelligence purposes.
Scenario: A backup or synchronization job (e.g., Veeam, rsync, RoboCopy) is transferring files over a network using a URL that is mistakenly tagged as adb in URLhaus.
Filter/Exclusion: Exclude URLs that are associated with backup or sync tools (e.g., veeam, rsync, robocopy) or are part of a