The detection identifies potential adversary activity involving malicious URLs associated with the IP 84-54-33-84, which may indicate command and control or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage cyber threats before they cause significant damage.
IOC Summary
Threat: 84-54-33-84 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://84.54.33.84/Bin/ScreenConnect.ClientSetup.exe | online | malware_download | 2026-05-26 |
hxxps://84.54.33.84/bin/support.client.exe | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 84-54-33-84
let malicious_domains = dynamic(["84.54.33.84"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["84.54.33.84"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a trusted source, but the URL is mistakenly tagged as 84-54-33-84 due to a misconfigured URLhaus entry.
Filter/Exclusion: Exclude URLs that match known legitimate update servers (e.g., *.microsoft.com, *.canonical.com) or use a custom field like urlhaus_tag to filter out false positives.
Scenario: A scheduled backup job using rsync or Veeam is transferring files over a network that uses a public IP 84.54.33.84 as part of its infrastructure, which is incorrectly flagged by the rule.
Filter/Exclusion: Exclude traffic originating from or destined to known internal or backup infrastructure IPs, or use a field like process_name to filter out backup tools.
Scenario: An endpoint protection tool like CrowdStrike or SentinelOne is performing a network scan to check for vulnerabilities, and the scan includes a URL from the 84-54-33-84 domain, which is falsely marked as malicious.
Filter/Exclusion: Exclude URLs that match known security tool domains or use a process_name filter to exclude security software processes.
Scenario: A CI/CD pipeline using Jenkins or GitHub Actions is pushing code to a remote server, and the URL used for artifact transfer is flagged due to a misconfigured IP in the URLhaus database.
Filter/Exclusion: Exclude URLs that match known CI/CD infrastructure or use a process_name filter to identify pipeline tools.
Scenario: A remote desktop session (e.g., using RDP or TeamViewer) is being used to access a machine,