The hypothesis is that the detected URLs are associated with the IP 62-60-226-159, which is linked to malicious activity in URLhaus, indicating potential command and control or data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of internal systems.
IOC Summary
Threat: 62-60-226-159 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://62.60.226.159/20.exe | online | malware_download | 2026-06-06 |
hxxp://62.60.226.159/16.exe | online | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 62-60-226-159
let malicious_domains = dynamic(["62.60.226.159"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["62.60.226.159"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, which happens to be hosted on a server with the IP 62-60-226-159.
Filter/Exclusion: Exclude URLs that match known software update endpoints (e.g., *.update.microsoft.com, *.download.nvidia.com) or filter by process name (powershell.exe with a known update script).
Scenario: A scheduled job runs nightly to fetch configuration files from a remote server using curl or wget, and the server IP is 62-60-226-159.
Filter/Exclusion: Exclude traffic from scheduled jobs (e.g., crontab, task scheduler) or filter by known configuration management tools (e.g., ansible, chef, puppet).
Scenario: An endpoint protection tool (e.g., CrowdStrike Falcon, Microsoft Defender) is performing a signature update from a remote server with IP 62-60-226-159.
Filter/Exclusion: Exclude traffic initiated by endpoint security tools (e.g., process name falcon-sensor, mpcmdrun.exe) or filter by known update endpoints.
Scenario: A devops pipeline (e.g., Jenkins, GitLab CI) is pulling code from a private repository hosted on a server with IP 62-60-226-159.
Filter/Exclusion: Exclude traffic from CI/CD pipelines (e.g., process name java, gitlab-runner) or filter by known repository URLs.
Scenario: A remote desktop session (e.g., RDP, VNC) is being established to a