The detection identifies potential command and control communication from a known malicious IP associated with URLhaus, indicating possible compromise of endpoints. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity in their Azure Sentinel environment.
IOC Summary
Threat: 172-86-72-167 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://172.86.72.167/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
hxxps://172.86.72.167/bin/support.client.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 172-86-72-167
let malicious_domains = dynamic(["172.86.72.167"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.86.72.167"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, which happens to resolve to the IP 172-86-72-167.
Filter/Exclusion: Exclude URLs that match known software update servers (e.g., *.update.microsoft.com, *.download.windowsupdate.com).
Scenario: A scheduled job in SQL Server Agent is configured to fetch data from an internal database using a script that connects to a database server with the IP 172-86-72-167.
Filter/Exclusion: Exclude traffic originating from or destined to internal database servers (e.g., 172.16.0.0/12).
Scenario: A Windows Task Scheduler job is running a PowerShell script that connects to a remote server using the IP 172-86-72-167 to perform a backup to a cloud storage service.
Filter/Exclusion: Exclude outbound connections to cloud storage endpoints (e.g., *.amazonaws.com, *.azure.com).
Scenario: A network monitoring tool like Wireshark is being used by the security team to analyze traffic, and the tool’s internal IP address is 172-86-72-167.
Filter/Exclusion: Exclude traffic from known internal security tools (e.g., 172.16.0.0/12 or specific hostnames like wireshark.local).
Scenario: A CI/CD pipeline (e.g., Jenkins) is configured to push code to a remote repository using a private IP 172-86-72-167 as part of a