ThreatFox: Havoc IOCs

Hunt Hypothesis

The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.

IOC Summary

Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["43.106.14.139", "139.59.84.11"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.106.14.139", "139.59.84.11"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

References

• ThreatFox — Havoc

False Positive Guidance

• Scenario: Scheduled system backup using Veeam
  Filter/Exclusion: Exclude processes initiated by veeam.exe or with command lines containing backup or snapshot.

• Scenario: Regularly scheduled log collection using Splunk
  Filter/Exclusion: Exclude processes with splunk.exe or command lines containing collect or forward.

• Scenario: Admin task to update endpoint protection using Microsoft Defender
  Filter/Exclusion: Exclude processes with msdefender.exe or command lines containing update or patch.

• Scenario: Automated deployment using Ansible
  Filter/Exclusion: Exclude processes with ansible.exe or command lines containing playbook or deploy.

• Scenario: Database maintenance task using SQL Server Agent
  Filter/Exclusion: Exclude processes with sqlservr.exe or command lines containing maintenance or backup.