The detection identifies potential malicious activity from URLs associated with the 45-92-1-35 IP address, which is linked to known malicious campaigns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to data exfiltration or system compromise.
IOC Summary
Threat: 45-92-1-35 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://45.92.1.35/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-05-26 |
hxxps://45.92.1.35/bin/support.client.exe | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 45-92-1-35
let malicious_domains = dynamic(["45.92.1.35"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.92.1.35"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a trusted source (e.g., Microsoft Update) that is mistakenly flagged by the rule.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the URL field.
Scenario: A scheduled job runs a PowerShell script to fetch configuration files from an internal repository (e.g., internal.config.repo.com) that is incorrectly identified as a malicious URL.
Filter/Exclusion: Exclude URLs that match internal domain patterns (e.g., internal.*.com) or use a source IP whitelist for trusted internal systems.
Scenario: A devops pipeline (e.g., Jenkins or GitLab CI) is accessing a CI/CD artifact repository (e.g., Nexus or Artifactory) to pull dependencies, which is falsely flagged by the rule.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact domains or use a user-agent-based filter to identify automation tools.
Scenario: A remote desktop session (e.g., using RDP or SSH) is being logged by the endpoint, and the session URL is being misinterpreted as a malicious URL.
Filter/Exclusion: Exclude URLs containing rdp, ssh, or terminal in the path, or filter based on process name (e.g., mstsc.exe, sshd).
Scenario: A system update task (e.g., using Windows Update or WSUS) is triggering the rule because the update server URL is listed in URLhaus.
Filter/Exclusion: Exclude URLs that match known internal or Microsoft update servers (e.g., wsus, update.microsoft.com, download.microsoft.com).