Adversaries may use malicious URLs tagged as opendir to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data exfiltration or C2 activities early.
IOC Summary
Threat: opendir Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://156.238.242.196/linux_ak.sh | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux.sh | offline | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.sh | offline | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: opendir
let malicious_domains = dynamic(["156.238.242.196"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["156.238.242.196"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled job runs a backup script that temporarily downloads a file from a known URLhaus-listed URL as part of a backup process.
Filter/Exclusion: Exclude URLs associated with known backup tools (e.g., rsync, tar, rsync, backuppc) or filter by process name like backup_script.sh or backup_service.exe.
Scenario: Software Update Distribution
Description: An internal IT team uses a tool like Chocolatey or Ansible to distribute software updates, which may involve downloading files from a URLhaus-listed URL as part of the update process.
Filter/Exclusion: Exclude URLs that match known update repositories or use a process name filter like choco, ansible, or update_service.exe.
Scenario: Log Collection and Analysis
Description: A log aggregation tool like Fluentd or Logstash is configured to collect logs from multiple servers and may use a URLhaus-listed URL to store or process log data.
Filter/Exclusion: Exclude URLs that match known log storage locations or filter by process name like fluentd, logstash, or log_collector.exe.
Scenario: Internal Code Repository Sync
Description: A developer uses a tool like Git or GitHub Actions to sync code from an internal repository, which may involve a URLhaus-listed URL as part of the sync process.
Filter/Exclusion: Exclude URLs that match internal Git repositories or filter by process name like git, github_actions, or sync_service.exe.
Scenario: Security Tool Configuration Sync
Description: A security tool like CrowdStrike or Microsoft Defender may use a URLhaus-listed URL to fetch configuration updates or