The hypothesis is that the detected URLs are associated with the IP 172-86-89-92, which is linked to known malicious activity, indicating potential command and control or data exfiltration channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and prevent further compromise.
IOC Summary
Threat: 172-86-89-92 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://172.86.89.92/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
hxxp://172.86.89.92/bin/support.client.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 172-86-89-92
let malicious_domains = dynamic(["172.86.89.92"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.86.89.92"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system update via Windows Server Update Services (WSUS)
Description: A system update job runs nightly and downloads a legitimate update from a server with the IP 172-86-89-92.
Filter/Exclusion: Exclude traffic originating from internal WSUS servers or filter based on destination_ip = 172-86-89-92 and process_name = "wuauclt.exe" or task_name = "Windows Update".
Scenario: Internal DNS server querying external IP for zone transfers
Description: The internal DNS server (e.g., Microsoft DNS Server) queries the IP 172-86-89-92 for zone transfers or DNSSEC validation.
Filter/Exclusion: Exclude DNS queries where dns_query_type = AXFR or dns_query_type = DNSSEC, or filter by source_ip of internal DNS servers.
Scenario: Admin task using PowerShell to download a script from a known internal server
Description: An admin runs a PowerShell script to fetch a configuration file from an internal server with the IP 172-86-89-92.
Filter/Exclusion: Exclude PowerShell processes with process_name = "powershell.exe" and command_line containing Invoke-WebRequest or DownloadString, or filter by source_ip of admin workstations.
Scenario: Automated backup job using rsync to a remote server
Description: A backup job (e.g., using rsync) connects to a remote backup server with the IP 172-86-89-92 to transfer data.
Filter/Exclusion: Exclude traffic from backup services or filter by process_name = "rsync" or `command_line