The hypothesis is that the adversary is using the IP 178-236-246-159 to host or distribute malicious URLs as part of a campaign to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 178-236-246-159 Total URLs: 14 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://178.236.246.159/bins/scsi_tmf_0 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/kworker_u8 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/kblockd0 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/xfsaild_sda | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/devfreq_wq | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/kswapd0 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/jbd2_sda1d | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/bioset0 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/edac_polld | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/cfg80211d | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/zswap_shrinkd | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/ksoftirqd0 | online | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/rcuop_0 | offline | malware_download | 2026-06-20 |
hxxp://178.236.246.159/bins/ecryptfsd | online | malware_download | 2026-06-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 178-236-246-159
let malicious_domains = dynamic(["178.236.246.159"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["178.236.246.159"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using the IP 178.236.246.159 for internal monitoring
Description: A security tool like OSSEC or Splunk may use this IP for internal heartbeat or data collection.
Filter/Exclusion: Exclude traffic originating from internal IP ranges or filter by source IP 178.236.246.159 if known to be trusted.
Scenario: Admin task using a known malicious URL for testing purposes
Description: An admin might use a test URL from a known malicious list (like URLhaus) to simulate a phishing attack during a security drill.
Filter/Exclusion: Exclude URLs that match a regex pattern for test environments or include a test=1 query parameter.
Scenario: False positive from a third-party service integration
Description: A service like Microsoft Defender for Endpoint or CrowdStrike might use a URL from URLhaus as part of its threat intelligence integration.
Filter/Exclusion: Exclude URLs that are part of known threat intelligence feeds or filter by the source of the URL (e.g., source=threatintel).
Scenario: Legitimate system update or patching process using a malicious URL
Description: A system update tool like WSUS or Chef might temporarily use a URL from a malicious list during a patching process.
Filter/Exclusion: Exclude URLs that are part of known patching or update services, or filter by the presence of a update=true parameter.
Scenario: False positive from a developer using a malicious URL for code testing
Description: A developer might use a URL from URLhaus to test how the system handles malicious payloads in a controlled environment.
*Filter/Exclusion