The hypothesis is that the detected malicious URLs are used by adversaries to download malware into the network, bypassing traditional defenses. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and contain potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 6 Active URLs: 6
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://118.34.109.121:46538/i | online | malware_download | 2026-05-13 |
hxxp://42.87.168.56:43704/i | online | malware_download | 2026-05-13 |
hxxp://175.149.123.111:52663/i | online | malware_download | 2026-05-13 |
hxxp://175.149.123.111:52663/bin.sh | online | malware_download | 2026-05-13 |
hxxp://221.14.13.84:57717/i | online | malware_download | 2026-05-13 |
hxxp://42.57.53.136:59615/i | online | malware_download | 2026-05-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["175.149.123.111", "42.87.168.56", "118.34.109.121", "221.14.13.84", "42.57.53.136"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["175.149.123.111", "42.87.168.56", "118.34.109.121", "221.14.13.84", "42.57.53.136"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update via Microsoft Update
Description: A legitimate scheduled task runs Microsoft Update, which downloads a known malicious URL from Microsoft’s update servers.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the url field.
Scenario: Admin Task for Log Collection via Splunk
Description: An admin task configured to collect logs from remote servers uses a legitimate URL from Splunk’s CDN to fetch log files.
Filter/Exclusion: Exclude URLs containing splunk.com or splunkbase.com in the url field.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a private registry or a trusted artifact repository.
Filter/Exclusion: Exclude URLs containing artifactory.com, nexus.repository, or docker.io in the url field.
Scenario: Internal Monitoring Tool Data Fetch
Description: An internal monitoring tool (e.g., Prometheus, Grafana) fetches metrics from a local or internal server using a legitimate URL.
Filter/Exclusion: Exclude URLs containing localhost, 127.0.0.1, or internal IP ranges (e.g., 10.0.0.0/8) in the url field.
Scenario: User-Initiated File Sync via Dropbox
Description: A user manually syncs files using Dropbox, which results in a download from Dropbox’s CDN.
Filter/Exclusion: Exclude URLs containing dropbox.com or dl.dropboxusercontent.com in the url field.