The hypothesis is that the adversary is using the IP 134-199-190-221 to host or distribute malicious URLs as part of a campaign to compromise endpoints and exfiltrate data. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 134-199-190-221 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://134.199.190.221/hiddenbin/Space.arc | online | malware_download | 2026-05-21 |
hxxp://134.199.190.221/1.sh | online | malware_download | 2026-05-21 |
hxxp://134.199.190.221/hiddenbin/Space.arm7 | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 134-199-190-221
let malicious_domains = dynamic(["134.199.190.221"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["134.199.190.221"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Internal system update or patch deployment using a URLhaus IP
Filter/Exclusion: Exclude traffic originating from internal update servers (e.g., windowsupdate.microsoft.com, patchmanagement.example.com) or use a filter like:
src_ip not in (134.199.190.0/24)Scenario: Legitimate scheduled job downloading configuration files from a known internal repository
Filter/Exclusion: Exclude traffic to internal repositories (e.g., artifactory.example.com, config.example.com) using:
dst_ip in (10.0.0.0/8) or dst_domain in ("artifactory.example.com", "config.example.com")Scenario: Admin task involving remote PowerShell script execution for system maintenance
Filter/Exclusion: Exclude PowerShell remoting traffic (e.g., Invoke-Command) using:
process_name not in ("powershell.exe") or process_args not containing "Invoke-Command"Scenario: Employee accessing a phishing training page hosted on a third-party platform
Filter/Exclusion: Exclude traffic to known phishing training domains (e.g., phishingtraining.example.com) using:
dst_domain not in ("phishingtraining.example.com", "training.example.com")Scenario: Automated log collection tool pulling logs from a remote server using a known IP
Filter/Exclusion: Exclude traffic from log collection tools (e.g., logstash, splunk) using:
process_name not in ("logstash", "splunk") or src_ip in (192.168.1.0/24)