The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with its infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to data exfiltration or lateral movement within the network.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]150[.]34[.]117:443 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 82[.]156[.]224[.]184:443 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["82.156.224.184", "45.150.34.117"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.156.224.184", "45.150.34.117"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackupService
Rationale: Veeam backups may trigger IOCs related to file access or network activity that resemble malicious behavior.
Scenario: Admin task using PowerShell for log management with Logstash
Filter/Exclusion: Exclude processes with logstash or logstash-forwarder in the command line
Rationale: Logstash may execute PowerShell scripts that match the IOC patterns used in the detection rule.
Scenario: Regular patching using Windows Update or WSUS
Filter/Exclusion: Exclude processes related to wusa.exe or wsus
Rationale: Windows Update may download and execute files that match the IOCs associated with Havoc.
Scenario: Automated report generation using Power BI or Excel
Filter/Exclusion: Exclude processes with PowerBI.exe or Excel.exe
Rationale: These tools may access network resources or execute scripts that could be flagged by the detection rule.
Scenario: Database backup using SQL Server Agent Job
Filter/Exclusion: Exclude processes with sqlservr.exe or sqlagent.exe
Rationale: SQL Server Agent jobs may trigger network or file system activity that resembles malicious behavior.