The ThreatFox: Havoc IOCs rule detects potential adversary activity associated with the Havoc malware family by identifying known indicators of compromise linked to its deployment and execution. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that may be leveraging Havoc for lateral movement and data exfiltration.
IOC Summary
Malware Family: Havoc Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]26[.]228[.]27:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 45[.]67[.]222[.]21:3389 | botnet_cc | 2026-06-11 | 85% |
| ip:port | 103[.]202[.]61[.]220:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 186[.]246[.]16[.]124:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 193[.]106[.]8[.]24:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 185[.]89[.]214[.]29:443 | botnet_cc | 2026-06-11 | 99% |
| ip:port | 185[.]190[.]212[.]155:443 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 82[.]221[.]139[.]243:52281 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["45.67.222.21", "2.26.228.27", "185.89.214.29", "82.221.139.243", "185.190.212.155", "103.202.61.220", "186.246.16.124", "193.106.8.24"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.67.222.21", "2.26.228.27", "185.89.214.29", "82.221.139.243", "185.190.212.155", "103.202.61.220", "186.246.16.124", "193.106.8.24"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backups using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the Veeam service or with command lines containing VeeamBackup or VeeamBackup.exe
Scenario: Regularly executed administrative task using PowerShell to update system configurations
Filter/Exclusion: Exclude processes with PowerShell.exe and command lines containing Update-Configuration, Set-Item, or Invoke-Command with known admin scripts
Scenario: Automated log rotation using logrotate on Linux servers
Filter/Exclusion: Exclude processes with logrotate in the command line or associated with the logrotate service, especially during scheduled times (e.g., midnight)
Scenario: Use of PsExec for remote administrative tasks across the network
Filter/Exclusion: Exclude processes initiated by PsExec with command lines containing \\ (UNC path) and known internal hostnames or IP ranges used for legitimate remote management
Scenario: Execution of Task Scheduler jobs for software updates or patching
Filter/Exclusion: Exclude processes with schtasks.exe or Task Scheduler service, especially those with known update-related command lines or scheduled at standard maintenance windows