The hypothesis is that the detection identifies potential command and control (C2) activity by adversaries using malicious URLs tagged as c2-monitor-auto, which are commonly associated with automated monitoring and persistence mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and disrupt adversarial communication channels and prevent further compromise of the network.
IOC Summary
Threat: c2-monitor-auto Total URLs: 4 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://91.92.242.236/files-129312398/files/file_db636563c3c4acf5.dll:::Start | offline | malware_download | 2026-05-22 |
hxxp://46.224.18.6:8888/Installer.msi | offline | malware_download | 2026-05-22 |
hxxp://91.92.242.236/files-129312398/files/file_fd896ea145f39dc0.dll:::Start | offline | malware_download | 2026-05-22 |
hxxp://91.92.242.236/files-129312398/files/file_d1f1134c95605cbb.exe | offline | malware_download | 2026-05-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: c2-monitor-auto
let malicious_domains = dynamic(["91.92.242.236", "46.224.18.6"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["91.92.242.236", "46.224.18.6"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a benign URL for validation purposes.
Filter/Exclusion: Exclude URLs that match the internal testing environment or are tagged with test or internal-validation.
Scenario: A scheduled job runs a script to download and update a legitimate software repository, which includes a URL flagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs that are part of known software update mechanisms (e.g., updates.example.com, repo.example.com) or are tagged with software-update.
Scenario: A security analyst is using a threat intelligence tool like VirusTotal to submit a file for analysis, and the tool generates a temporary URL for upload, which is tagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence platforms (e.g., vt.example.com, threatintel.example.com) or are tagged with threat-intel.
Scenario: A DevOps team is using Ansible to automate configuration management and includes a URL to a public API for retrieving configuration data, which is mistakenly flagged.
Filter/Exclusion: Exclude URLs that are part of Ansible playbooks or are tagged with ansible or config-management.
Scenario: A user is accessing a legitimate cloud storage link (e.g., Google Drive or OneDrive) to share a document with a colleague, and the link is incorrectly flagged as c2-monitor-auto.
Filter/Exclusion: Exclude URLs that are part of known cloud storage services or are tagged with cloud-storage or file-sharing.