The detection identifies potential command and control communication from a known malicious IP address associated with URLs listed in URLhaus. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversary activity leveraging compromised infrastructure in their Azure Sentinel environment.
IOC Summary
Threat: 172-86-73-37 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://172.86.73.37/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
hxxps://172.86.73.37/bin/support.client.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 172-86-73-37
let malicious_domains = dynamic(["172.86.73.37"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.86.73.37"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using a known IP for internal URL shortening
Filter/Exclusion: Exclude URLs containing internal-shortener.example.com or IP 172-86-73-37 used by internal tools like Veeam Backup & Replication or Commvault.
Scenario: Admin task to update internal software via a trusted URL hosted on a private IP
Filter/Exclusion: Exclude URLs that match internal software update endpoints like https://updates.internal.example.com or IP 172-86-73-37 used by Chocolatey or WSUS.
Scenario: User accessing a phishing simulation URL hosted on a private IP for security training
Filter/Exclusion: Exclude URLs containing phishing-sim.example.com or IP 173-86-73-37 used by KnowBe4 or PhishSim training platforms.
Scenario: Log collection tool sending data to a private IP for centralized logging
Filter/Exclusion: Exclude URLs that match log-collector.example.com or IP 172-86-73-37 used by Splunk or ELK Stack internal collectors.
Scenario: Internal DNS server resolving internal URLs via a private IP for name resolution
Filter/Exclusion: Exclude URLs that resolve to internal DNS servers or IPs like 172-86-73-37 used by PowerShell DNS Server or Windows Server DNS role.