The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family through known indicators of compromise, which are associated with initial access and command and control communications. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage threats before they escalate into full-scale breaches.
IOC Summary
Malware Family: Havoc Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 173[.]249[.]41[.]141:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 13[.]140[.]132[.]118:443 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 153[.]75[.]251[.]219:80 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 114[.]55[.]167[.]52:443 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["114.55.167.52", "153.75.251.219", "13.140.132.118", "173.249.41.141"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["114.55.167.52", "153.75.251.219", "13.140.132.118", "173.249.41.141"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam
Description: A legitimate scheduled backup job using Veeam may trigger the rule due to the use of a network share or script that matches an IOC.
Filter/Exclusion: Exclude events where the process is veeam.exe and the command line includes backup or snapshot.
Scenario: Admin Task Using PowerShell for Log Management
Description: An administrator may use PowerShell scripts (e.g., Get-EventLog, Export-Clixml) to manage logs, which could match Havoc-related IOCs.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Get-EventLog or Export-Clixml.
Scenario: Regular Use of Windows Task Scheduler for Maintenance
Description: A legitimate Windows Task Scheduler job (e.g., schtasks.exe) may execute scripts or tools that match Havoc IOCs.
Filter/Exclusion: Exclude events where the process is schtasks.exe and the task name contains maintenance or cleanup.
Scenario: Network Share Access for File Sync Using DFS
Description: A DFS (Distributed File System) sync operation may involve network shares that match Havoc IOCs.
Filter/Exclusion: Exclude events where the process is dfsrdisk.exe or dfsutil.exe and the network path is within the organization’s internal DFS namespace.
Scenario: Use of Microsoft Endpoint Configuration Manager (MECM) for Patch Management
Description: MECM may execute scripts or use tools that match Havoc IOCs during patch deployment.
Filter/Exclusion: Exclude events where the process is ccmexec.exe or mpcmdrun.exe and the command line includes patch or `