The detection identifies potential command and control (C2) activity by monitoring URLs tagged as c2-monitor-auto, which are associated with known malicious infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
IOC Summary
Threat: c2-monitor-auto Total URLs: 5 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://www.dropbox.com/scl/fi/ecom4qzkheclqn7ml8dng/f175fcc7b1277b.exe?rlkey=jctz6gr5wlpfas8bf48qokzgd&st=ur5dn56o&dl=1 | offline | malware_download | 2026-05-18 |
hxxps://www.dropbox.com/scl/fi/jabwd47j7zwrjg3p13k1p/installer-acc-v2.1.1.exe?rlkey=w4jpkgch7jjyqq9gu2om4xs8n&st=7wlat5pq&dl=0 | offline | malware_download | 2026-05-18 |
hxxp://91.92.242.236/files-129312398/files/file_a99659e88279685c.exe | offline | malware_download | 2026-05-18 |
hxxp://91.92.242.236/files-129312398/files/file_e0fe7b19c94f5d26.exe | offline | malware_download | 2026-05-18 |
hxxp://91.92.242.236/files-129312398/files/file_6993d4de4b47e311.cmd | offline | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236", "www.dropbox.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236", "www.dropbox.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Microsoft Windows Update
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com
Rationale: Legitimate system updates often use these domains and may be flagged as C2 activity.
Scenario: Admin task using PowerShell for log collection
Filter/Exclusion: Exclude URLs containing logcollection or logstash in the URL path
Rationale: Admins may use PowerShell scripts to collect logs, which can generate traffic to internal or external log aggregation tools.
Scenario: Automated backup job using Veeam or Acronis
Filter/Exclusion: Exclude URLs containing backup, veeam, or acronis in the URL path
Rationale: Backup tools often communicate with remote servers for data transfer, which may be misclassified as C2.
Scenario: Internal monitoring tool like Splunk or Datadog
Filter/Exclusion: Exclude URLs containing splunk, datadog, or logs in the domain or path
Rationale: These tools are commonly used for internal monitoring and may generate traffic to their respective monitoring endpoints.
Scenario: Automated deployment using Ansible or Jenkins
Filter/Exclusion: Exclude URLs containing ansible, jenkins, or ci in the domain or path
Rationale: CI/CD pipelines often interact with remote servers for artifact retrieval, which can be flagged as suspicious C2 activity.