The hypothesis is that an adversary is using the IP 176-65-148-144 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration activities early.
IOC Summary
Threat: 176-65-148-144 Total URLs: 2 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.148.144/bins/nova.i686 | online | malware_download | 2026-06-06 |
hxxp://176.65.148.144/nova.sh | offline | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-148-144
let malicious_domains = dynamic(["176.65.148.144"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.148.144"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a known internal repository that uses the IP 176-65-148-144 as part of its CDN setup.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or traffic associated with known internal update servers.
Scenario: A scheduled backup job using rsync or Veeam is transferring data over a network that routes through the IP 176-65-148-144, which is part of a third-party cloud storage provider’s infrastructure.
Filter/Exclusion: Exclude traffic to/from cloud storage IPs (e.g., AWS, Azure, Google Cloud) or traffic associated with backup processes using specific command-line arguments or job names.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is pulling dependencies from a public artifact repository (e.g., Maven, npm) that uses the IP 176-65-148-144 as part of its load balancing setup.
Filter/Exclusion: Exclude traffic to known package managers or CI/CD tool IPs, or filter based on HTTP User-Agent strings associated with CI/CD systems.
Scenario: A remote desktop session (e.g., using RDP or VNC) is establishing a connection through a proxy server that routes traffic via the IP 176-65-148-144.
Filter/Exclusion: Exclude traffic from known remote access tools or connections that