The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before lateral movement and data exfiltration occur.
IOC Summary
Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 159[.]89[.]99[.]190:443 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 47[.]237[.]171[.]214:443 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 136[.]0[.]41[.]11:443 | botnet_cc | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["47.237.171.214", "159.89.99.190", "136.0.41.11"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.237.171.214", "159.89.99.190", "136.0.41.11"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if the command includes a path or argument that matches a known Havoc IOC.
Filter/Exclusion: Exclude rsync commands executed by the backup user or within a specific backup directory (e.g., /var/backups/).
Scenario: Admin Task Using wget to Download a Known Good Artifact
Description: An administrator may use wget to download a trusted software update or configuration file that coincidentally matches a Havoc IOC.
Filter/Exclusion: Exclude wget commands where the URL matches a known internal or trusted repository (e.g., https://internal-repo.example.com/).
Scenario: Log Rotation Using logrotate
Description: The logrotate utility may generate log files with names or paths that resemble Havoc IOCs.
Filter/Exclusion: Exclude log files or commands related to logrotate or paths under /var/log/.
Scenario: Cron Job for System Monitoring Using netstat
Description: A cron job that runs netstat to monitor open ports may include output that matches Havoc IOCs due to similar formatting.
Filter/Exclusion: Exclude netstat commands executed by the root user or within a specific monitoring script directory (e.g., /opt/monitoring/).
Scenario: Docker Container Management Using docker ps
Description: The output of docker ps may include container names or IDs that resemble Havoc IOCs.
Filter/Exclusion: Exclude docker ps commands or container names that match known internal Docker services or development environments.