The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver malware or phishing payloads, leveraging compromised or spoofed domains to compromise user credentials or systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise early, especially since ClearFake URLs are often used in targeted attacks and may bypass traditional detection mechanisms.
IOC Summary
Threat: ClearFake Total URLs: 77 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://master-system-data-core-wiki.wiki/e36c3588-15d5-48e6-a864-638f607e3a75/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/e36c3588-15d5-48e6-a864-638f607e3a75/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/4ec759d3-8a78-4a71-9631-b960843a2570/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/4ec759d3-8a78-4a71-9631-b960843a2570/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/5c97f4fa-84fc-4bb6-bd98-98270874efde/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/5c97f4fa-84fc-4bb6-bd98-98270874efde/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/5c6c47f2-36cd-4e28-8a60-e2bee74c0694/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/5c6c47f2-36cd-4e28-8a60-e2bee74c0694/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/afef312d-63ed-4c30-b3b5-58da8b868fea/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/afef312d-63ed-4c30-b3b5-58da8b868fea/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/7c881852-e522-4ce6-a104-6b8573c4a514/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/7c881852-e522-4ce6-a104-6b8573c4a514/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/1a36e78d-fb86-4d5a-b499-57f2b8376933/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/1a36e78d-fb86-4d5a-b499-57f2b8376933/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/a260d8ea-1d0c-4ea4-9987-e9901903417e/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/a260d8ea-1d0c-4ea4-9987-e9901903417e/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/6f5e8897-5c43-4f2c-9d55-1ee88bc814bd/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/6f5e8897-5c43-4f2c-9d55-1ee88bc814bd/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/7c7992cb-e74e-432c-a362-c114365aa9b6/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/7c7992cb-e74e-432c-a362-c114365aa9b6/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/94fb828c-21b3-44a3-a534-63ed1dac98c0/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/94fb828c-21b3-44a3-a534-63ed1dac98c0/google.ct | offline | malware_download | 2026-05-12 |
hxxp://master-system-data-core-wiki.wiki/6091b429-bd30-4571-9ad7-70f6647f73cd/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/6091b429-bd30-4571-9ad7-70f6647f73cd/google.ct | offline | malware_download | 2026-05-12 |
hxxps://master-system-data-core-wiki.wiki/4973fdbf-c83d-4e75-a01e-ee526e8ca1bd/google.ct | offline | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["master-system-data-core-wiki.wiki"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["master-system-data-core-wiki.wiki"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a ClearFake URL as part of a security training exercise.
Filter/Exclusion: Exclude URLs that match the domain training.example.com or any subdomains of it.
Scenario: A scheduled job runs a script to fetch and process URLs from a legitimate threat intelligence feed that includes ClearFake URLs.
Filter/Exclusion: Exclude URLs originating from the IP address 192.0.2.1 (a placeholder for documentation) or any URLs that match the feed’s known benign patterns.
Scenario: A user clicks on a ClearFake URL that was embedded in an internal documentation tool like Confluence or SharePoint as part of a phishing simulation.
Filter/Exclusion: Exclude URLs that contain the string phishing-sim or are associated with the internal URL shortener short.example.com.
Scenario: A DevOps pipeline includes a step that dynamically generates URLs for testing purposes, such as during CI/CD pipeline validation.
Filter/Exclusion: Exclude URLs that contain the substring ci-cd-test or are generated by the tool Jenkins with the job name test-url-generator.
Scenario: A system runs a scheduled task to download and analyze malware samples from a sandboxing tool like Cuckoo Sandbox, which may include URLs tagged as ClearFake.
Filter/Exclusion: Exclude URLs that are part of the sandboxing environment (e.g., sandbox.example.com) or match the Cuckoo Sandbox internal URL patterns.