← Back to SOC feed Coverage →

ThreatFox: Havoc IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
iocthreatfoxwin-havoc
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 3 IOCs associated with Havoc

IOC Summary

Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port159[.]89[.]99[.]190:443botnet_cc2026-03-19100%
ip:port47[.]237[.]171[.]214:443botnet_cc2026-03-18100%
ip:port136[.]0[.]41[.]11:443botnet_cc2026-03-18100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["47.237.171.214", "159.89.99.190", "136.0.41.11"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.237.171.214", "159.89.99.190", "136.0.41.11"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.havoc/