The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 58 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://129.121.114.124/Se9I | online | malware_download | 2026-06-22 |
hxxp://129.121.114.124/rH4 | online | malware_download | 2026-06-22 |
hxxp://129.121.114.124/XKw | online | malware_download | 2026-06-22 |
hxxp://5.182.210.61/788359 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/087de7 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/881c88 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/924e89 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/b95719 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/6d6e73 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/e929e0 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/9bbae5 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/cf637d | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/f2698a | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/897603 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/df996e | offline | malware_download | 2026-06-22 |
hxxp://129.121.114.124/Fts | offline | malware_download | 2026-06-22 |
hxxp://129.121.114.124/AMt | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/f816f5 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/b4d9d7 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/0a8252 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/683ff5 | offline | malware_download | 2026-06-22 |
hxxp://5.182.210.61/1cf553 | offline | malware_download | 2026-06-22 |
hxxp://129.121.114.124/N2sh | online | malware_download | 2026-06-22 |
hxxp://129.121.114.124/45u | online | malware_download | 2026-06-22 |
hxxp://129.121.114.124/UuZ4 | offline | malware_download | 2026-06-22 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["129.121.114.124"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["129.121.114.124"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system update job downloads a legitimate ELF binary from a known repository
Filter/Exclusion: Exclude URLs matching https://github.com/.*\.tar\.gz$ or https://packages\.debian\.org/.*\.deb$
Context: System update jobs often pull ELF binaries from trusted sources like GitHub or Debian repositories.
Scenario: Admin uses strace to debug a legitimate ELF executable during incident response
Filter/Exclusion: Exclude processes with exe_name containing strace or gdb
Context: Security tools like strace or gdb are commonly used to analyze binaries during investigations.
Scenario: CI/CD pipeline pulls a signed ELF binary from a private artifact registry
Filter/Exclusion: Exclude URLs containing artifactory\.internal/ or nexus\.internal/
Context: Internal artifact repositories are used to store signed and trusted ELF binaries for development and deployment.
Scenario: User downloads a legitimate open-source ELF tool from a public mirror
Filter/Exclusion: Exclude URLs matching https://ftp.gnu.org/ or https://ftp.gnu.org/gnu/
Context: Open-source tools like gcc, make, or git are often distributed through well-known GNU mirrors.
Scenario: Log collection agent uploads logs to a centralized SIEM system using an ELF-based agent
Filter/Exclusion: Exclude URLs containing logstash, splunk, or elasticsearch in the path
Context: Log shipping agents like Filebeat or Fluentd may use ELF binaries to communicate with SIEM systems.