The hypothesis is that the detected URLs are associated with malicious shell scripts (sh) used by adversaries to execute arbitrary code on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: sh Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://103.77.246.173:8888/nerv.sh | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.sh4 | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: sh
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool (short.url) by generating a short link to a legitimate internal documentation page.
Filter/Exclusion: Exclude URLs containing the domain internal-docs.example.com or any URL with the query parameter ?test=1.
Scenario: A scheduled job runs a script that fetches updates from a public GitHub repository using a short URL (https://short.url/gh/updates).
Filter/Exclusion: Exclude URLs that match the pattern https://short.url/gh/ or any URL containing the string github.com.
Scenario: A DevOps engineer is using a CI/CD pipeline tool like Jenkins to trigger a build via a short URL (https://short.url/jenkins/build).
Filter/Exclusion: Exclude URLs that match the pattern https://short.url/jenkins/ or any URL containing the string jenkins.build.
Scenario: An IT team uses a third-party tool like PowerShell to automate system health checks, which includes a short URL to a public health check script.
Filter/Exclusion: Exclude URLs containing the domain healthcheck.example.com or any URL with the path /scripts/health.
Scenario: A security analyst is using a tool like OSSEC to send alerts to a short URL for internal triage purposes (https://short.url/ossec/alert).
Filter/Exclusion: Exclude URLs containing the domain ossec.example.com or any URL with the path /alert.