The hypothesis is that the detected URLs are malicious payloads being downloaded via ua-wget, indicating potential command and control or data exfiltration activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity leveraging known malicious URLs.
IOC Summary
Threat: ua-wget Total URLs: 8 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.177:8080/i686 | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/armv7l | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/mips | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/armv6l | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/armv5l | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/ppc64 | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/x86 | offline | malware_download | 2026-05-09 |
hxxp://176.65.139.177:8080/mipsel | offline | malware_download | 2026-05-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ua-wget
let malicious_domains = dynamic(["176.65.139.177"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.177"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System Update Job Using wget to Fetch a Legitimate Update Package
Description: A scheduled system update job uses wget to download a legitimate update from a trusted internal or external repository.
Filter/Exclusion: Exclude URLs matching known internal update servers (e.g., internal-repo.example.com, updates.example.com) or filter by process name (/usr/sbin/update-manager or similar).
Scenario: Admin Task to Download a Known Safe File via wget
Description: An administrator manually runs a wget command to download a known safe file (e.g., a configuration script or dependency) from a trusted source.
Filter/Exclusion: Exclude URLs containing known safe domains (e.g., trusted-scripts.example.com) or filter by user context (e.g., user == "admin").
Scenario: Log Collection Agent Using wget to Fetch Logs from a Remote Server
Description: A log collection agent (e.g., logstash, fluentd, or rsyslog) uses wget to fetch logs from a remote server as part of its normal operation.
Filter/Exclusion: Exclude URLs matching log collection endpoints (e.g., logs.example.com) or filter by process name (e.g., logstash-agent).
Scenario: CI/CD Pipeline Fetching Dependencies via wget
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses wget to fetch dependencies or artifacts from a package repository (e.g., npm, Maven, PyPI).
Filter/Exclusion: Exclude URLs matching known package repositories (e.g., npmjs.org, maven.org, pypi.org) or filter by process name (e.g., jenkins-agent).