The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family through known indicators of compromise, which are commonly used in initial access and command and control operations. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that may be establishing a foothold in the network.
IOC Summary
Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 8[.]208[.]80[.]165:443 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]236[.]24[.]112:80 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 47[.]236[.]24[.]112:443 | botnet_cc | 2026-05-30 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["47.236.24.112", "8.208.80.165"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.236.24.112", "8.208.80.165"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes associated with veeam or VeeamBackup
Rationale: Veeam may execute scripts or use similar command-line tools that could match Havoc IOCs during backup operations.
Scenario: PowerShell script execution for routine system monitoring using Windows Event Log Analysis
Filter/Exclusion: Exclude processes with powershell.exe and command-line arguments containing eventlog or Get-EventLog
Rationale: Legitimate monitoring scripts may use PowerShell commands that resemble malicious activity.
Scenario: Ansible playbook execution for configuration management on Linux servers
Filter/Exclusion: Exclude processes with ansible and command-line arguments containing playbook or ansible-playbook
Rationale: Ansible may execute commands that appear similar to malicious payloads during configuration updates.
Scenario: SQL Server Agent job running scheduled maintenance tasks
Filter/Exclusion: Exclude processes with sqlagent.exe or sqlservr.exe and command-line arguments containing job or schedule
Rationale: SQL Server Agent jobs may execute scripts or commands that match Havoc IOCs during routine maintenance.
Scenario: Windows Task Scheduler running a legitimate PowerShell script for log rotation
Filter/Exclusion: Exclude processes with schtasks.exe and command-line arguments containing logrotate or rotate logs
Rationale: Log rotation scripts may use similar command structures to those associated with Havoc.