The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to persistent, stealthy malware infections.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 173[.]249[.]41[.]141:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 13[.]140[.]132[.]118:443 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["173.249.41.141", "13.140.132.118"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["173.249.41.141", "13.140.132.118"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackupService
Rationale: Veeam backups may trigger IOCs related to file access or network activity that resemble malicious behavior.
Scenario: Regular log collection using Splunk
Filter/Exclusion: Exclude processes with splunkd or splunkforwarder
Rationale: Splunk may execute scripts or access files that match known Havoc IOCs during log ingestion.
Scenario: Admin task: PowerShell script for system monitoring
Filter/Exclusion: Exclude processes with powershell.exe running under the LocalSystem or Administrators group
Rationale: Legitimate administrative scripts may use similar command-line arguments or file paths as malicious activity.
Scenario: Deployment of a CI/CD pipeline using Jenkins
Filter/Exclusion: Exclude processes with jenkins.exe or java -jar jenkins.war
Rationale: Jenkins may interact with remote servers or execute scripts that could match Havoc IOCs.
Scenario: Database maintenance using SQL Server Agent Jobs
Filter/Exclusion: Exclude processes with sqlservr.exe or sqlagent.exe
Rationale: SQL Server Agent jobs may access network shares or execute scripts that could be flagged by the rule.