The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family through known indicators of compromise, which are commonly used in targeted attacks to establish persistence and exfiltrate data. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]106[.]14[.]139:8085 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 164[.]90[.]206[.]5:8443 | botnet_cc | 2026-05-27 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["43.106.14.139", "164.90.206.5"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.106.14.139", "164.90.206.5"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the veeam user or with the command line containing backup or snapshot.
Scenario: Regularly executed PowerShell script for log rotation or system cleanup
Filter/Exclusion: Exclude processes with the command line containing logrotate, clean, or rotate, or executed by the system or administrators group.
Scenario: Windows Task Scheduler job running a legitimate maintenance script
Filter/Exclusion: Exclude tasks scheduled under the Task Scheduler service or with job names containing maintenance, cleanup, or backup.
Scenario: Microsoft SQL Server Agent job performing routine database maintenance
Filter/Exclusion: Exclude processes with the command line containing sqlagent or sqlcmd, or executed under the SQLAgent service account.
Scenario: Ansible playbook execution for configuration management
Filter/Exclusion: Exclude processes with the command line containing ansible-playbook or ansible, or executed by the ansible user or service account.