The detection identifies potential botnet command and control (C2) communication by identifying malicious URLs associated with known botnet domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to disrupt adversary operations and prevent lateral movement within the network.
IOC Summary
Threat: botnetdomain Total URLs: 10 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.i468 | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.x86_64 | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.arm5 | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/manji.mpsl | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.ppc | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.mpsl | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/manji.arm4 | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.mips | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.i686 | offline | malware_download | 2026-05-11 |
hxxp://wefuwegfwefoewofewfweof.snoowy.top/hiddenbin/asuna.x86 | offline | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: botnetdomain
let malicious_domains = dynamic(["wefuwegfwefoewofewfweof.snoowy.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["wefuwegfwefoewofewfweof.snoowy.top"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by visiting known botnet domains as part of a validation process.
Filter/Exclusion: Exclude URLs that match the internal testing domain list (url contains "testbotnetdomain.com")
Scenario: A scheduled job runs a script that downloads a software update from a known botnet domain as part of a patch management process.
Filter/Exclusion: Exclude URLs that match the patch management domain list (url contains "patchserver.example.com")
Scenario: A user is accessing a legitimate security research website that is mistakenly tagged as a botnet domain in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the security research domain list (url contains "securityresearch.org")
Scenario: A DevOps team is deploying a new application and uses a CI/CD pipeline that temporarily connects to a botnet domain for service discovery.
Filter/Exclusion: Exclude URLs that match the CI/CD infrastructure domain list (url contains "ci-cd-internal.example.com")
Scenario: An internal tool used for network monitoring periodically pings a botnet domain to validate DNS resolution and connectivity.
Filter/Exclusion: Exclude URLs that match the internal monitoring domain list (url contains "monitoring.internal.example.com")