The hypothesis is that the adversary is using the IP 134-209-188-142 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.
IOC Summary
Threat: 134-209-188-142 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://134.209.188.142/pty3 | online | malware_download | 2026-06-03 |
hxxp://134.209.188.142/pty10 | online | malware_download | 2026-06-03 |
hxxp://134.209.188.142/pty4 | online | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 134-209-188-142
let malicious_domains = dynamic(["134.209.188.142"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["134.209.188.142"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching job using a URLhaus-listed IP
Filter/Exclusion: Exclude traffic from known patch management tools like Microsoft Update, WSUS, or Ansible during scheduled maintenance windows.
Example Filter: process.name != "wuauclt.exe" OR process.name != "ansible" AND event.type != "patching"
Scenario: Internal development team using a test URL hosted on the IP for internal staging
Filter/Exclusion: Exclude traffic from internal development tools like Jenkins, Docker, or Kubernetes when accessing internal URLs.
Example Filter: process.name != "jenkins.exe" OR process.name != "docker" AND destination.address != "10.0.0.0/8"
Scenario: Scheduled backup job using a cloud storage service (e.g., AWS S3) that routes through the IP
Filter/Exclusion: Exclude traffic from backup tools like Veeam, Commvault, or AWS CLI during backup windows.
Example Filter: process.name != "veeam.exe" OR process.name != "aws" AND event.type != "backup"
Scenario: Admin task using a remote management tool (e.g., PowerShell Remoting) that routes through the IP
Filter/Exclusion: Exclude traffic from PowerShell, SSH, or WinRM commands executed by administrators.
Example Filter: process.name != "powershell.exe" OR process.name != "ssh.exe" AND user.account != "admin"
Scenario: Legitimate software distribution via a third-party CDN that uses the IP as a routing point
Filter/Exclusion: Exclude traffic from known CDNs like Cloudflare, Akamai, or AWS CloudFront.
Example Filter: