The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 3 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://125.45.64.150:47817/i | online | malware_download | 2026-05-21 |
hxxp://125.45.64.150:47817/bin.sh | online | malware_download | 2026-05-21 |
hxxp://221.14.12.221:52500/i | offline | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["125.45.64.150"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["125.45.64.150"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job downloads a malware update from a known URLhaus entry as part of a security patching process.
Filter/Exclusion: Exclude URLs associated with known enterprise patch management tools (e.g., Microsoft Update, WSUS) or use a filter like url contains "update.microsoft.com" or process.name contains "wuauclt.exe".
Scenario: Admin Access via Remote Desktop
Description: An administrator uses a remote desktop connection to access a server, and the RDP connection includes a URL in the session data (e.g., for logging or diagnostics).
Filter/Exclusion: Exclude URLs containing rdp or remote desktop in the URL path, or filter by process.name contains "mstsc.exe" or process.name contains "tsclient.exe".
Scenario: Log Collection from SIEM System
Description: A SIEM system (e.g., Splunk, ELK) collects logs from a remote server, and the log file includes a URL used for data ingestion.
Filter/Exclusion: Exclude URLs that match the SIEM’s data ingestion endpoint (e.g., splunk.com or logstash.example.com) or use a filter like url contains "splunk" or url contains "logstash".
Scenario: Software Repository Access
Description: A developer accesses a private software repository (e.g., Artifactory, Nexus) using a URL that is mistakenly tagged as malicious in URLhaus.
Filter/Exclusion: Exclude URLs that match internal repository domains (e.g., artifactory.internal.com) or use a filter like url contains "artifactory" or url contains "nexus".
Scenario: Cloud Configuration Management Tool
Description: A cloud configuration