The hypothesis is that the adversary is using the IP 192-159-99-249 to host or distribute malicious URLs as part of a campaign to compromise endpoints and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and data theft activities early.
IOC Summary
Threat: 192-159-99-249 Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://192.159.99.249/Bin/ScreenConnect.ClientSetup.exe | offline | malware_download | 2026-05-24 |
hxxps://192.159.99.249/bin/support.client.exe | offline | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 192-159-99-249
let malicious_domains = dynamic(["192.159.99.249"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["192.159.99.249"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a server at IP 192-159-99-249.
Filter/Exclusion: Check for PowerShell scripts initiated by a user with sudo or admin privileges and verify the URL against a known trusted software repository.
Scenario: A scheduled backup job using rsync or Bacula connects to a remote server at 192-159-99-249 to transfer data.
Filter/Exclusion: Exclude connections initiated by backup services or systemd timers with known backup credentials or scheduled job names.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is accessing a private artifact repository hosted at 192-159-99-249 for dependency resolution.
Filter/Exclusion: Filter traffic from CI/CD agents or known pipeline jobs with authenticated access and trusted certificate chains.
Scenario: A network monitoring tool like Nagios or Zabbix is polling a server at 192-159-99-249 for system metrics.
Filter/Exclusion: Exclude traffic from monitoring tools with known service accounts or specific source IP ranges used by monitoring systems.
Scenario: A remote desktop session (e.g., RDP, SSH) is initiated from a user’s workstation to a server at 192-159-99-249 for administrative tasks.
Filter/Exclusion: Exclude connections from user workstations with **known