The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family through known indicators of compromise, which are commonly used in targeted attacks to establish persistence and exfiltrate data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage threats before they cause significant damage to the environment.
IOC Summary
Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 63[.]250[.]47[.]156:443 | botnet_cc | 2026-06-08 | 100% |
| ip:port | 89[.]125[.]255[.]5:43026 | botnet_cc | 2026-06-08 | 75% |
| ip:port | 89[.]125[.]255[.]5:9999 | botnet_cc | 2026-06-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["63.250.47.156", "89.125.255.5"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["63.250.47.156", "89.125.255.5"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using msiexec.exe to install a legitimate Windows update
Filter/Exclusion: process.name == msiexec.exe and process.args contains "msi" or "update"
Scenario: Scheduled job running schtasks.exe to execute a routine maintenance task
Filter/Exclusion: process.name == schtasks.exe and process.args contains "/create" or "/run"
Scenario: Admin using PowerShell.exe to run a script for log management or compliance check
Filter/Exclusion: process.name == powershell.exe and process.args contains "log" or "compliance" or "audit"
Scenario: Database backup using sqlcmd.exe or mysqldump as part of a regular backup job
Filter/Exclusion: process.name == sqlcmd.exe or process.name == mysqldump and process.args contains "backup" or "restore"
Scenario: Network monitoring tool like tcpdump or Wireshark capturing traffic for analysis
Filter/Exclusion: process.name == tcpdump or process.name == wireshark and process.args contains "capture" or "monitor" or "analyze"