The detection identifies potential Havoc malware activity through suspicious network behavior indicative of data exfiltration and persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to mitigate the risk of sensitive data theft and establish long-term system compromise.
IOC Summary
Malware Family: Havoc Total IOCs: 5 IOC Types: sha256_hash, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | carrolc.com | botnet_cc | 2026-04-24 | 90% |
| domain | cwrtwright.com | botnet_cc | 2026-04-24 | 90% |
| ip:port | 45[.]61[.]136[.]30:443 | botnet_cc | 2026-04-24 | 90% |
| sha256_hash | fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a | payload | 2026-04-24 | 90% |
| sha256_hash | 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | payload | 2026-04-24 | 60% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["45.61.136.30"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.61.136.30"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Havoc
let malicious_domains = dynamic(["carrolc.com", "cwrtwright.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Havoc
let malicious_hashes = dynamic(["fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a", "59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync is transferring data to a remote server, which may trigger the rule due to network traffic patterns.
Filter/Exclusion: process.name != "rsync" OR destination_ip IN (list of known backup servers)
Scenario: Admin using curl to fetch updates from a trusted internal repository
Description: A system administrator is using curl to pull updates from an internal artifact repository, which may be flagged due to similar network behavior as Havoc.
Filter/Exclusion: process.name != "curl" OR destination_ip IN (list of internal update servers)
Scenario: Log shipping using logrotate and rsync
Description: A log rotation and shipping process using logrotate and rsync is transferring logs to a central logging server, which could be mistaken for exfiltration.
Filter/Exclusion: process.name != "logrotate" OR destination_ip IN (list of log aggregation servers)
Scenario: Internal tool using scp for file transfer between servers
Description: A legitimate internal tool or script is using scp to transfer files between servers, which may trigger the rule due to file transfer behavior.
Filter/Exclusion: process.name != "scp" OR destination_ip IN (list of internal server IPs)
Scenario: Automated CI/CD pipeline using git to push to a remote repository
Description: A CI/CD pipeline is using git to push code changes to a remote repository, which may be flagged due to network activity resembling exfiltration.
Filter/Exclusion: process.name != "git" OR `destination_ip IN (list of