The hypothesis is that the detected malicious URLs are used by adversaries to download malware onto compromised systems, leveraging Azure Sentinel to identify and disrupt initial compromise vectors. SOC teams should proactively hunt for these URLs to prevent lateral movement and data exfiltration in their environment.
IOC Summary
Threat: malware_download Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://175.151.67.102:55329/i | online | malware_download | 2026-05-06 |
hxxp://115.55.218.101:48118/bin.sh | online | malware_download | 2026-05-06 |
hxxp://42.5.65.239:50287/i | online | malware_download | 2026-05-06 |
hxxp://123.7.41.11:39506/i | online | malware_download | 2026-05-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["115.55.218.101", "123.7.41.11", "42.5.65.239", "175.151.67.102"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["115.55.218.101", "123.7.41.11", "42.5.65.239", "175.151.67.102"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security tool update or patch.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., updates.microsoft.com, download.symantec.com).
Scenario: A scheduled job is executing a legitimate software update from a trusted source, such as a company’s internal repository.
Filter/Exclusion: Exclude URLs containing internal domain names (e.g., internal-repo.corp.example.com).
Scenario: An IT admin is manually testing a malware sample in a sandbox environment using a tool like Cuckoo Sandbox.
Filter/Exclusion: Exclude URLs that contain sandboxing service domains (e.g., sandbox.eleven.io, cuckoo.sh).
Scenario: A user is accessing a phishing simulation link deployed by the security team to train employees.
Filter/Exclusion: Exclude URLs that match the company’s phishing simulation domain (e.g., phishing-training.example.com).
Scenario: A DevOps pipeline is pulling a dependency from a public repository (e.g., GitHub, npm) that is flagged as malicious by URLhaus.
Filter/Exclusion: Exclude URLs that match known package managers or repositories (e.g., npmjs.org, github.com).