The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 15 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://124.29.214.246:45833/Mozi.m | offline | malware_download | 2026-06-06 |
hxxp://45.120.161.209:56639/Mozi.m | offline | malware_download | 2026-06-06 |
hxxp://110.39.244.198:56759/Mozi.m | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/f9460d | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/8f4c61 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/7dc165 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/badf9b | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/4de1fb | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/cff527 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/f79a43 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/35cdda | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/18a84f | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/2fc2f3 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/1bedf9 | offline | malware_download | 2026-06-06 |
hxxp://45.205.1.59/1fbb47 | offline | malware_download | 2026-06-06 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["124.29.214.246", "45.205.1.59", "45.120.161.209", "110.39.244.198"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["124.29.214.246", "45.205.1.59", "45.120.161.209", "110.39.244.198"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by generating and accessing a set of test URLs.
Filter/Exclusion: Exclude URLs that match the domain of the internal URL shortener (e.g., short.url) or include a specific test query parameter (e.g., ?test=1).
Scenario: A scheduled job runs a nightly script that fetches and processes internal documentation hosted on a secure internal URL.
Filter/Exclusion: Exclude URLs that contain the internal documentation domain (e.g., doc.internalcorp.com) or match a specific path pattern (e.g., /docs/).
Scenario: A developer is using a CI/CD pipeline to push code to a staging environment, which involves accessing a staging URL for artifact downloads.
Filter/Exclusion: Exclude URLs that contain the staging environment domain (e.g., staging.example.com) or include a specific CI/CD job identifier (e.g., job-id-1234).
Scenario: An IT support team member is accessing a known internal support portal URL to troubleshoot a user issue.
Filter/Exclusion: Exclude URLs that match the internal support portal domain (e.g., support.example.com) or include a specific support ticket ID (e.g., ticket-5678).
Scenario: A security analyst is using a threat intelligence tool to manually check URLs against a local database of known malicious domains.
Filter/Exclusion: Exclude URLs that originate from the internal threat intelligence tool (e.g., ti-tool.example.com) or include a specific query parameter indicating a manual check (e.g., ?check=manual).