The hypothesis is that the detected URLs are associated with the IP 45-88-186-114, which is linked to malicious activity in URLhaus, indicating potential command and control or data exfiltration channels. SOC teams should proactively hunt for this IP and its associated URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints or data leakage.
IOC Summary
Threat: 45-88-186-114 Total URLs: 2 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.88.186.114/Bin/ScreenConnect.ClientSetup.exe | offline | malware_download | 2026-05-24 |
hxxp://45.88.186.114/bin/support.client.exe | offline | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-88-186-114
let malicious_domains = dynamic(["45.88.186.114"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.88.186.114"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a trusted source, but the IP address 45-88-186-114 is part of the update server’s IP range.
Filter/Exclusion: Exclude traffic originating from known internal or trusted IP ranges using a NetFlow or IDS/IPS rule, or filter by source IP in the SIEM.
Scenario: A scheduled job in Ansible is executing a playbook that includes a URL pointing to a legitimate repository hosted on a server with IP 45-88-186-114.
Filter/Exclusion: Add the Ansible playbook name or job ID to a whitelist in the SIEM, or use a process name filter to exclude Ansible-related activity.
Scenario: A Windows Update task is attempting to connect to a Microsoft server that uses a dynamic IP, which temporarily resolves to 45-88-186-114.
Filter/Exclusion: Exclude traffic to Microsoft update servers using DNS lookup or destination IP filtering, or use a known good IP list for Microsoft services.
Scenario: A CI/CD pipeline (e.g., Jenkins) is pulling code from a private Git repository hosted on a server with IP 45-88-186-114, which is part of the company’s internal network.
Filter/Exclusion: Exclude internal network traffic using source/destination IP ranges, or add the Jenkins job name to a whitelist in the SIEM.
Scenario: A remote desktop session (RDP) is being initiated from a user’s machine, and the connection is routed through a proxy or a network device