The detection identifies potential adversary activity involving malicious URLs associated with the elf malware, which could be used to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging known malicious URLs.
IOC Summary
Threat: elf Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://152.236.3.29/godisdead.3 | online | malware_download | 2026-06-13 |
hxxp://152.236.3.29/godisdead.2 | online | malware_download | 2026-06-13 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["152.236.3.29"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["152.236.3.29"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint security tool by uploading a known benign .elf file for validation.
Filter/Exclusion: Exclude files with the file command output indicating “ELF” and where the file path contains test/ or temp/.
Scenario: A scheduled job runs a script that downloads a legitimate .elf file from a trusted internal repository to update a service.
Filter/Exclusion: Exclude files downloaded from internal URLs (e.g., internal.repo.example.com) or files with a known SHA-256 hash of the legitimate .elf.
Scenario: A developer is using strace to debug a process that dynamically loads a .elf library for application testing.
Filter/Exclusion: Exclude processes where the command line includes strace or gdb, or where the file path contains debug/ or build/.
Scenario: A system update process deploys a new .elf binary to a server, which is part of a standard patching routine.
Filter/Exclusion: Exclude files with a file path containing patches/ or updates/, or files signed by a known internal signing certificate.
Scenario: A security tool like OSSEC or Snort is configured to monitor system calls and logs, and it generates a .elf file as part of its own logging mechanism.
Filter/Exclusion: Exclude files with a file path containing ossec/ or snort/, or files with a process owner of ossec or snort.