The hypothesis is that the detected URLs are associated with the IP 172-86-89-57, which is linked to known malicious activity, indicating potential command and control or data exfiltration channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and prevent further compromise.
IOC Summary
Threat: 172-86-89-57 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://172.86.89.57/bin/support.client.exe | online | malware_download | 2026-06-01 |
hxxps://172.86.89.57/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 172-86-89-57
let malicious_domains = dynamic(["172.86.89.57"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.86.89.57"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses curl or wget to manually download a legitimate update from a server with the IP 172-86-89-57 as part of a routine patching process.
Filter/Exclusion: Exclude traffic originating from known admin workstations or users with elevated privileges using a source IP or user-based filter.
Scenario: A scheduled job runs ansible or puppet to fetch configuration files from a private internal server at 172-86-89-57 during off-peak hours.
Filter/Exclusion: Exclude traffic associated with known configuration management tools using process name or command-line arguments in the event log or process tree.
Scenario: A security analyst uses mitmproxy or Burp Suite to test a legitimate API endpoint hosted on 172-86-89-57 during a penetration test or security assessment.
Filter/Exclusion: Exclude traffic from known security testing tools or users with a specific role (e.g., security_analyst) using user-based or tool-specific filters.
Scenario: A backup job using rsync or Veeam transfers data to a backup server located at 172-86-89-57 within the same internal network.
Filter/Exclusion: Exclude traffic related to backup processes using process name, destination IP, or time-of-day filters (e.g., during scheduled backup windows).
Scenario: A developer uses Postman or curl to test a local development server that is temporarily configured to use the IP 172-86-89-57 for internal testing.
Filter/Exclusion: Exclude traffic from development environments or specific IP ranges used for internal testing using source IP or environment-specific