The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with this threat group. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks from advanced persistent threats leveraging Havoc.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 177[.]104[.]165[.]104:8443 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 185[.]190[.]142[.]121:8443 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["185.190.142.121", "177.104.165.104"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.190.142.121", "177.104.165.104"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam
Filter/Exclusion: Exclude file paths containing "VeeamBackup" or process names with "Veeam"
Rationale: Veeam backups may generate activity that matches Havoc IOCs, such as file creation or network connections.
Scenario: Admin task: Windows Update via Group Policy
Filter/Exclusion: Exclude processes with "wuauclt.exe" or file paths containing "WindowsUpdate"
Rationale: Windows Update processes may interact with network resources that could be flagged by the Havoc IOC detection logic.
Scenario: Legitimate use of PowerShell for script execution (e.g., deploying software)
Filter/Exclusion: Exclude processes with "powershell.exe" where the command line includes "Deploy" or "Install"
Rationale: PowerShell scripts used for legitimate deployments may trigger IOC patterns associated with malicious activity.
Scenario: Network discovery via nmap for internal network mapping
Filter/Exclusion: Exclude processes with "nmap.exe" or network scans targeting internal IP ranges (e.g., 192.168.0.0/16)
Rationale: Network discovery tools like nmap may generate traffic patterns that resemble malicious network behavior.
Scenario: Use of PsExec for remote administration tasks
Filter/Exclusion: Exclude processes with "psexec.exe" or command lines containing "RemoteAdmin" or "Invoke-Command"
Rationale: PsExec is a legitimate tool for remote administration but may be flagged due to its ability to execute commands remotely, similar to malicious payloads.