Adversaries may use arm-taged URLs from URLhaus to deliver malicious payloads, leveraging compromised or trusted domains to evade detection. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: arm Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://92.42.100.131/meow/arm7 | online | malware_download | 2026-05-19 |
hxxp://92.42.100.131/meow/arm | online | malware_download | 2026-05-19 |
hxxp://92.42.100.131/meow/arm5 | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["92.42.100.131"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["92.42.100.131"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener service by entering a legitimate test URL into a browser or command-line tool.
Filter/Exclusion: Exclude URLs that match known URL shortening services (e.g., bit.ly, tinyurl.com, short.cm) or URLs containing the string test or example.com.
Scenario: A scheduled job runs a script that downloads a legitimate software update from a trusted source (e.g., Microsoft Update or Adobe Update Server).
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., download.microsoft.com, adobe.com, updates.symantec.com) or URLs containing the string update or patch.
Scenario: A user is accessing a phishing simulation URL provided by the security team as part of a training exercise.
Filter/Exclusion: Exclude URLs that contain the string phishingsim or training and are hosted on internal domains (e.g., intranet.corp.example.com).
Scenario: A DevOps team is using a CI/CD pipeline to deploy a new application, and the pipeline temporarily accesses a staging URL for testing.
Filter/Exclusion: Exclude URLs that match the staging environment domain (e.g., staging.example.com) or contain the string staging, dev, or test.
Scenario: A system is running a legitimate network discovery tool that periodically checks for available services on the internal network, generating temporary URLs for internal resources.
Filter/Exclusion: Exclude URLs that are internal (e.g., 10.0.0.0/8, 192.168.0.0/16) or contain the string internal, local, or private.