The detection identifies potential command and control communication from a known malicious IP address associated with URLs listed in URLhaus. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversary activity leveraging compromised or malicious URLs in their environment.
IOC Summary
Threat: 172-86-91-40 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://172.86.91.40/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-06-01 |
hxxp://172.86.91.40/bin/support.client.exe | online | malware_download | 2026-06-01 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 172-86-91-40
let malicious_domains = dynamic(["172.86.91.40"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["172.86.91.40"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system update job
Description: A scheduled task runs a system update that downloads a file from a URL associated with the IP 172-86-91-40, which is known to be part of a legitimate update server.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., update.microsoft.com, download.microsoft.com) or use a filter like url contains "update.microsoft.com".
Scenario: Internal DNS server query
Description: An internal DNS server (e.g., Microsoft DNS, Bind, or PowerDNS) queries the IP 172-86-91-40 as part of normal DNS resolution for internal domain names.
Filter/Exclusion: Exclude DNS queries originating from internal DNS servers (e.g., source ip in 10.0.0.0/8) or filter by dns.query.type == A and dns.query.name not in internal_domains.
Scenario: Admin task using PowerShell or WMI
Description: A system administrator runs a PowerShell or WMI script that connects to a remote server at 172-86-91-40 to perform administrative tasks like patching or configuration management.
Filter/Exclusion: Exclude connections from known admin tools (e.g., process.name == "powershell.exe" or process.name == "wmic.exe") or filter by user.name in admin_users.
Scenario: Legitimate cloud service integration
Description: A cloud service (e.g., Azure DevOps, AWS CLI, or GitHub Actions) communicates with an internal load balancer or API gateway at 172-86-91-40 as part of CI/CD pipelines or infrastructure automation.
**Filter/Ex