Adversaries may use PowerShell-based malicious URLs to execute payloads and establish command and control within the network. SOC teams should proactively hunt for these URLs in Azure Sentinel to detect and mitigate early-stage PowerShell-based attacks before they cause significant damage.
IOC Summary
Threat: powershell Total URLs: 4 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://85.239.149.41/ | offline | malware_download | 2026-05-11 |
hxxp://85.239.149.41:2/ | offline | malware_download | 2026-05-11 |
hxxp://85.239.149.41:5/ | offline | malware_download | 2026-05-11 |
hxxp://85.239.149.41:3/ | offline | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: powershell
let malicious_domains = dynamic(["85.239.149.41"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["85.239.149.41"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled PowerShell Job for System Maintenance
Description: A legitimate scheduled task runs a PowerShell script to perform system updates or patch management.
Filter/Exclusion: Exclude URLs containing update, patch, or maintenance in the URL path or query parameters.
Example: https://internal-repo.com/update/windows10.patch
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An administrator uses PowerShell to analyze system logs and generate reports.
Filter/Exclusion: Exclude URLs that include logs, analyze, or report in the URL path.
Example: https://internal-logs.com/logs/analyze/system.log
Scenario: Internal PowerShell Module Repository
Description: A company hosts an internal PowerShell module repository for developers to install and manage modules.
Filter/Exclusion: Exclude URLs that contain modules, nuget, or internal-repo in the domain or path.
Example: https://internal-nuget-repo.com/modules/PSUtils/1.0.0/PSUtils.psm1
Scenario: Automated Configuration Management (e.g., Ansible, Puppet)
Description: A configuration management tool like Ansible or Puppet uses PowerShell scripts to configure systems.
Filter/Exclusion: Exclude URLs that include config, ansible, or puppet in the URL path or query.
Example: https://config-server.com/ansible/playbooks/configure-servers.ps1
Scenario: PowerShell Script for Data Backup
Description: A PowerShell script is used to back up data to an internal storage system.
Filter/Exclusion: Exclude URLs that contain backup, storage, or archive in the URL path.
Example: `https://