The hypothesis is that the detected malicious URLs associated with the IP 124-198-132-139 are being used by an adversary to deliver payloads or exfiltrate data, indicating potential command and control or data theft activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise before significant damage occurs.
IOC Summary
Threat: 124-198-132-139 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://124.198.132.139/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-15 |
hxxps://124.198.132.139/bin/support.client.exe | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 124-198-132-139
let malicious_domains = dynamic(["124.198.132.139"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["124.198.132.139"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a known safe URL from a trusted source, which coincidentally matches the IP address in the rule.
Filter/Exclusion: Exclude URLs associated with known update servers (e.g., https://updates.microsoft.com, https://dl.google.com).
Scenario: Admin Task Using PowerShell for Log Analysis
Description: An admin uses PowerShell to query logs and generates a URL for internal log analysis, which is flagged due to the IP address in the rule.
Filter/Exclusion: Exclude URLs containing the string internal-log-analysis or originating from the admin’s local machine (host field = localhost).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline downloads a build artifact from a private registry or artifact server, which is mistakenly flagged due to the IP address in the rule.
Filter/Exclusion: Exclude URLs that contain ci-cd, artifactory, or nexus in the domain or path.
Scenario: Internal Monitoring Tool Generating Test URLs
Description: An internal monitoring tool generates test URLs for stress testing or validation, which are flagged due to the IP address in the rule.
Filter/Exclusion: Exclude URLs containing the string test-url or stress-test in the query parameter or path.
Scenario: Email Server Generating Temporary URLs for Attachments
Description: An email server generates temporary URLs for file attachments, which are flagged due to the IP address in the rule.
Filter/Exclusion: Exclude URLs that contain attachment, temp, or file in the path or query parameter, and filter by source IP of the email server.