The detection identifies potential command and control communication from a known malicious IP range associated with URLhaus, indicating possible adversary infrastructure usage. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage compromise in their Azure Sentinel environment.
IOC Summary
Threat: 141-98-10-98 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://141.98.10.98/nc64.exe | online | malware_download | 2026-06-08 |
hxxp://141.98.10.98/PrintSpoofer64.exe | online | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 141-98-10-98
let malicious_domains = dynamic(["141.98.10.98"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["141.98.10.98"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell script runs daily to clean temporary files and update system settings. The script uses a URL from a trusted internal repository.
Filter/Exclusion: Exclude URLs that match internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or use a custom field like url.contains("internal-repo").
Scenario: Admin task to download a software update from a known internal server
Description: An administrator manually downloads a software update from an internal server with the IP 141-98-10-98 using a tool like wget or curl.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or are associated with known internal update servers (e.g., url.contains("internal-update-server")).
Scenario: Automated backup process using a cloud storage tool
Description: A backup tool like Veeam or Commvault uploads data to a cloud storage endpoint that temporarily uses an IP address 141-98-10-98 during a sync process.
Filter/Exclusion: Exclude URLs that match cloud storage endpoints (e.g., url.contains("cloud-backup.com")) or use a custom field like tool.name == "Veeam".
Scenario: DNS query tool testing internal network connectivity
Description: A network diagnostic tool like nslookup or dig is used to test DNS resolution against an internal DNS server with IP 141-98-10-98.
Filter/Exclusion: Exclude DNS queries (e