The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 13 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://85.204.125.76/a-r.m-7.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/bot | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/p-p.c-.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/a-r.m-6.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/i-5.8-6.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/a-r.m-5.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/m-p.s-l.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/a-r.m-4.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/m-i.p-s.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/s-h.4-.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/x-3.2-.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/m-6.8-k.Sakura | online | malware_download | 2026-05-23 |
hxxp://85.204.125.76/x-8.6-.Sakura | online | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["85.204.125.76"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["85.204.125.76"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL that matches the pattern of a malicious URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that match the internal testing domain or include a specific test query parameter like ?test=1.
Scenario: A scheduled job runs a script to download and verify software updates from a trusted internal repository, which happens to use a URL format that matches the malicious URL pattern.
Filter/Exclusion: Exclude URLs that contain the internal repository domain or match a specific update script name pattern.
Scenario: A user is accessing a legitimate internal portal that uses a URL structure similar to those in the URLhaus list, such as https://internal.portal.example.com/elf/....
Filter/Exclusion: Exclude URLs that originate from the internal portal domain or include a specific path prefix like /elf/.
Scenario: A DevOps team is using a CI/CD pipeline tool (e.g., Jenkins) to deploy code, and the deployment script includes a URL to a temporary artifact storage location that matches the malicious URL pattern.
Filter/Exclusion: Exclude URLs that include the Jenkins server IP or match the artifact storage path pattern.
Scenario: An IT support technician is using a remote desktop tool (e.g., Microsoft Remote Desktop) to access a corporate server, and the connection URL matches the pattern of a malicious URL in the URLhaus list.
Filter/Exclusion: Exclude URLs that contain the internal RDP server IP or match the RDP connection string format.