The hypothesis is that the adversary is using the IP 165-227-155-54 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.
IOC Summary
Threat: 165-227-155-54 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://165.227.155.54/hiddenbin/Space.arc | online | malware_download | 2026-05-21 |
hxxp://165.227.155.54/hiddenbin/Space.arm7 | online | malware_download | 2026-05-21 |
hxxp://165.227.155.54/1.sh | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 165-227-155-54
let malicious_domains = dynamic(["165.227.155.54"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["165.227.155.54"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a trusted source, which happens to be hosted on an IP address tagged by the rule (165-227-155-54).
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.download.windowsupdate.com).
Scenario: A scheduled job runs nightly to fetch configuration files from a centralized server, and the server’s IP address is mistakenly listed in the URLhaus feed.
Filter/Exclusion: Exclude URLs that match internal or known trusted domains (e.g., *.internal.company.com, *.configserver.company.net).
Scenario: A SIEM log collection task is configured to pull logs from a remote server, and the server’s IP address is flagged by the rule.
Filter/Exclusion: Exclude IP addresses associated with internal log servers (e.g., 10.0.0.100, 192.168.1.50).
Scenario: A vulnerability scanner (e.g., Nessus) is configured to scan internal assets and reports a URL from a system that is temporarily accessible via an IP in the rule’s list.
Filter/Exclusion: Exclude URLs that match known internal scanning tools or IP ranges used by security tools (e.g., 10.0.0.0/24, 172.16.0.0/12).
Scenario: A remote management tool (e.g., Microsoft Intune or Jamf) is used to push policy updates to endpoints, and the IP address of the management server is incorrectly tagged in the rule.
Filter/Exclusion: Exclude URLs that match known