The hypothesis is that the detected URLs are likely malicious shell scripts designed to execute arbitrary commands on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control activities or data exfiltration attempts.
IOC Summary
Threat: sh Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.156.152.234/testload.sh | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/realtek.sh | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["94.156.152.234"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.156.152.234"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool (short.url) by generating and accessing a short URL for internal documentation purposes.
Filter/Exclusion: Exclude URLs containing the domain short.url or any URL that includes the query parameter ?test=1.
Scenario: A scheduled job runs a script to fetch updates from a known internal repository (internal-repo.example.com) using a short URL for efficiency.
Filter/Exclusion: Exclude URLs containing the domain internal-repo.example.com or any URL that includes the path /update-script.sh.
Scenario: A developer is using a CI/CD pipeline tool like GitHub Actions to trigger a build that includes a short URL for a test artifact hosted on an internal server.
Filter/Exclusion: Exclude URLs containing the domain artifacts.internal.example.com or any URL that includes the path /ci-builds/.
Scenario: An admin is using Ansible to run a playbook that includes a short URL to a local file for configuration purposes.
Filter/Exclusion: Exclude URLs that start with file:// or any URL that includes the path /ansible/playbooks/.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender for Endpoint is being updated via a short URL hosted on an internal server for faster deployment.
Filter/Exclusion: Exclude URLs containing the domain internal-updates.example.com or any URL that includes the path /falcon-update.sh.