The hypothesis is that the detected URLs are likely used by adversaries to deliver loader malware, which is a common initial compromise technique. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential lateral movement and persistence threats early.
IOC Summary
Threat: loader Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://get2508.host87p.cfd/?tag=F9zp2cAK | offline | malware_download | 2026-05-22 |
hxxps://get4061.host87p.cfd/?tag=F9zp2cAK | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: loader
let malicious_domains = dynamic(["get2508.host87p.cfd", "get4061.host87p.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["get2508.host87p.cfd", "get4061.host87p.cfd"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update via Microsoft Update
Description: A legitimate system update process may trigger the detection rule if the update URL is tagged as a loader.
Filter/Exclusion: Exclude URLs containing windowsupdate.microsoft.com or update.microsoft.com in the url field.
Scenario: Admin task using PowerShell for log collection
Description: An admin might use a PowerShell script to collect logs from a remote server, and the script may include a URL that is falsely flagged as a loader.
Filter/Exclusion: Exclude URLs containing logcollection or logstash in the url field, or filter by process_name containing powershell.exe.
Scenario: Internal tool for automated configuration management
Description: A tool like Ansible or Puppet may use a remote URL to fetch configuration files, which could be misclassified as a loader.
Filter/Exclusion: Exclude URLs containing ansible or puppet in the url field, or filter by process_name matching the Ansible/Puppet service.
Scenario: User-initiated file download from internal repository
Description: A user may download a file from an internal artifact repository (e.g., Nexus, Artifactory) that is mistakenly tagged as a loader.
Filter/Exclusion: Exclude URLs containing nexus, artifactory, or internal-repo in the url field.
Scenario: Automated backup job using cloud storage
Description: A backup job may use a cloud storage URL (e.g., AWS S3, Azure Blob Storage) to store backups, which could be flagged as a loader.
Filter/Exclusion: Exclude URLs containing aws, azure, or backup in the url field, or filter by process_name containing backup.exe