Adversaries may use malicious URLs from URLhaus to deliver payloads or exfiltrate data, leveraging compromised or phishing links to gain initial access. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
IOC Summary
Threat: arm Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.159/bins/parm | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/parm7 | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/parm6 | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/parm5 | online | malware_download | 2026-05-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["176.65.139.159"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.159"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a URL from URLhaus as part of a security training exercise.
Filter/Exclusion: Exclude URLs that match the urlhaus_test tag or are part of a known security training environment.
Scenario: A scheduled job runs a script to fetch and analyze threat intelligence feeds, including URLs from URLhaus.
Filter/Exclusion: Exclude URLs that are part of a known threat intelligence ingestion process, such as those from threatintel_feed or siem_intel_update tags.
Scenario: An IT admin is using a legitimate tool like Maltego or ThreatConnect to query and analyze URLs from URLhaus as part of an investigation.
Filter/Exclusion: Exclude URLs that are associated with tools like maltego, threatconnect, or splunk in the context of threat intelligence analysis.
Scenario: A user is accessing a legitimate URL from a security research platform like VirusTotal or AlienVault OTX that is also listed in URLhaus.
Filter/Exclusion: Exclude URLs that are flagged as benign by platforms like virustotal or alienvault_oxidized and are part of a legitimate security research workflow.
Scenario: A DevOps team is using Ansible or Jenkins to automate the deployment of security patches or updates, which includes downloading URLs from URLhaus as part of a security hardening process.
Filter/Exclusion: Exclude URLs that are associated with automation tools like ansible, jenkins, or puppet in the context of patch management or security configuration.