The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with its command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to persistent, stealthy malware infections.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 62[.]109[.]19[.]44:443 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 158[.]247[.]194[.]144:80 | botnet_cc | 2026-06-05 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["62.109.19.44", "158.247.194.144"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["62.109.19.44", "158.247.194.144"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackup
Example Filter: process.name != "veeam" or process.name != "VeeamBackup"
Scenario: Regularly executed PowerShell script for log management using LogParser
Filter/Exclusion: Exclude processes with logparser.exe or scripts with known log management patterns
Example Filter: process.name != "logparser.exe" or script.name != "LogManagement.ps1"
Scenario: Windows Task Scheduler job running PsExec to remotely execute administrative tasks
Filter/Exclusion: Exclude tasks with psexec.exe or scheduled tasks with known administrative purposes
Example Filter: process.name != "psexec.exe" or task.name != "AdminTask"
Scenario: Microsoft SQL Server Agent job executing maintenance tasks such as index rebuilds
Filter/Exclusion: Exclude processes related to sqlservr.exe or tasks with known maintenance patterns
Example Filter: process.name != "sqlservr.exe" or job.name != "IndexRebuild"
Scenario: Ansible playbook execution for configuration management on managed nodes
Filter/Exclusion: Exclude processes with ansible or tasks related to configuration management
Example Filter: process.name != "ansible" or playbook.name != "config_mgmt.yml"