The hypothesis is that the detected malicious URLs are associated with a known malicious IP address (45-83-31-225) from URLhaus, indicating potential command and control or data exfiltration activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections and prevent further network compromise.
IOC Summary
Threat: 45-83-31-225 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://45.83.31.225/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-05-26 |
hxxps://45.83.31.225/bin/support.client.exe | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-83-31-225
let malicious_domains = dynamic(["45.83.31.225"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.83.31.225"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a trusted source, such as Microsoft’s update server, which is mistakenly flagged by the rule due to its IP address being associated with a malicious URLhaus entry.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or download.microsoft.com in the request URI.
Scenario: A scheduled job runs nightly to fetch and process data from an internal Splunk instance, and the IP address 45-83-31-225 is used for internal communication, leading to a false positive.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or traffic involving splunk.com or internal domain names.
Scenario: A system update via Windows Server Update Services (WSUS) is being pushed to endpoints, and the IP address 45-83-31-225 is part of the internal WSUS server setup, triggering the rule.
Filter/Exclusion: Exclude traffic to/from internal WSUS servers or URLs containing wsus or update.microsoft.com.
Scenario: A devops pipeline using Jenkins is making a request to a third-party API (e.g., for CI/CD tooling) that is hosted on an IP address associated with the rule, causing a false positive.
Filter/Exclusion: Exclude requests to known CI/CD services like jenkins.io, circleci.com, or gitlab.com.
Scenario: A remote desktop session is being established using RDP