The hunt hypothesis detects adversaries using ClearFake malicious URLs to deliver payloads, leveraging compromised or deceptive links to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise vectors before they lead to data exfiltration or system control.
IOC Summary
Threat: ClearFake Total URLs: 11 Active URLs: 10
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://zoneday-green-house-oper-center.garden/2affdbb2-9683-4155-a1c1-df08222b9e33/google.cl | online | malware_download | 2026-05-18 |
hxxps://ecosystemmanagementcore.garden/866dd8fb-f069-4f96-9e5b-fb881ed8dfb3/google.cl | online | malware_download | 2026-05-18 |
hxxps://containerizedplantnetwork.garden/b534554c-b2e0-4a56-808c-ce67ce9fc6e9/google.cl | online | malware_download | 2026-05-18 |
hxxps://floraanalyticsengine.garden/f67f9750-2112-4f5b-9256-2fb061a9277b/google.cl | online | malware_download | 2026-05-18 |
hxxps://meadowmonitoringplatform.garden/7b9570f9-d9cc-471b-9d8c-f385b355123a/google.cl | online | malware_download | 2026-05-18 |
hxxps://irrigationautomationhub.garden/99c57f7c-dcd4-4058-b88c-654819a34ef4/google.cl | online | malware_download | 2026-05-18 |
hxxps://c2rdcpuv.runtime-sphere.digital/?ublib=710960bf-19e3-4f4a-9473-5a563ddb6fef | offline | malware_download | 2026-05-18 |
hxxps://botanicalworkflowcenter.garden/7b8b9930-7862-48e9-8210-75ad0f6ab291/google.cl | online | malware_download | 2026-05-18 |
hxxps://distributedgrowthnetwork.garden/77f346b3-5103-4609-bdb5-2cbe9ec26f65/google.cl | online | malware_download | 2026-05-18 |
hxxps://wildfloracontrolsystem.garden/09a62705-f6fb-491b-9a0f-0992c7fe8e8a/google.cl | online | malware_download | 2026-05-18 |
hxxps://petalprocessingplatform.garden/fb173cbf-a417-4bb3-a8bb-90c095caa7a3/google.cl | online | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["zoneday-green-house-oper-center.garden", "petalprocessingplatform.garden", "botanicalworkflowcenter.garden", "irrigationautomationhub.garden", "meadowmonitoringplatform.garden", "distributedgrowthnetwork.garden", "containerizedplantnetwork.garden", "ecosystemmanagementcore.garden", "floraanalyticsengine.garden", "wildfloracontrolsystem.garden"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["zoneday-green-house-oper-center.garden", "petalprocessingplatform.garden", "botanicalworkflowcenter.garden", "irrigationautomationhub.garden", "meadowmonitoringplatform.garden", "distributedgrowthnetwork.garden", "containerizedplantnetwork.garden", "ecosystemmanagementcore.garden", "floraanalyticsengine.garden", "wildfloracontrolsystem.garden"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by inputting a known ClearFake URL into a test environment to validate detection capabilities.
Filter/Exclusion: process.name != "security_tool_test_script" or process.args != "test_clearfake_url"
Scenario: A scheduled job runs a script that downloads a legitimate software update from a URL tagged as ClearFake by URLhaus, but the update is signed and verified by the vendor.
Filter/Exclusion: file.hash != "known_legitimate_update_hash" or process.name != "scheduled_update_job"
Scenario: An IT admin is performing a system cleanup and uses a tool like PowerShell or Batch Script to remove old files, which includes a URL that was mistakenly flagged by URLhaus.
Filter/Exclusion: process.name != "cleanup_script" or process.args != "remove_old_files"
Scenario: A user is accessing a legitimate phishing training page hosted on a domain that was previously listed in URLhaus as ClearFake, but is now used for security awareness.
Filter/Exclusion: process.name != "browser" or url.domain != "phishing-training.example.com"
Scenario: A DevOps pipeline is using a CI/CD tool like Jenkins or GitHub Actions to deploy code, and one of the build steps includes a URL from a known ClearFake list for testing purposes.
Filter/Exclusion: process.name != "jenkins" or "github_actions" or url.path != "/test-deploy-endpoint"