Adversaries may use malicious URLs associated with the arm tag from URLhaus to deliver payloads or exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors early.
IOC Summary
Threat: arm Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.156.152.234:8080/armv6l | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/armv7l | online | malware_download | 2026-05-09 |
hxxp://94.156.152.234:8080/armv5l | online | malware_download | 2026-05-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: arm
let malicious_domains = dynamic(["94.156.152.234"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["94.156.152.234"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus list for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or URLs that are part of a known validation test suite.
Scenario: A scheduled job runs a script to download and verify the latest security updates from a trusted repository, which includes URLs tagged as “arm” in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the updates.examplecorp.com domain or URLs that are part of a known update distribution process.
Scenario: An IT support technician is troubleshooting a user’s browser by accessing a diagnostic URL from the URLhaus list to check for potential browser issues.
Filter/Exclusion: Exclude URLs that match the diagnostics.examplecorp.net domain or URLs accessed from the IT helpdesk IP range.
Scenario: A security team is performing a red team exercise and uses a legitimate URL from the URLhaus list to simulate a phishing attack for training purposes.
Filter/Exclusion: Exclude URLs that match the redteam-training.example.com domain or URLs accessed from the internal red team IP range.
Scenario: A DevOps engineer is deploying a new application and accesses a URL from the URLhaus list to verify the integrity of a package or checksum.
Filter/Exclusion: Exclude URLs that match the package-checksum.example.org domain or URLs accessed during deployment window hours (e.g., 2:00–4:00 AM).