The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 18 Active URLs: 18
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://199.98.88.92.rev.sfr.net/d/akido.sh4 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.ppc | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.mips | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.x86 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.x86_64 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.ppc | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.x86 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.sh4 | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.mpsl | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.spc | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.spc | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.mpsl | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.arc | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.x86_64 | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.m68k | online | malware_download | 2026-05-05 |
hxxp://199.98.88.92.rev.sfr.net/d/akido.arc | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.mips | online | malware_download | 2026-05-05 |
hxxp://92.88.98.199/d/akido.m68k | online | malware_download | 2026-05-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["199.98.88.92.rev.sfr.net", "92.88.98.199"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["199.98.88.92.rev.sfr.net", "92.88.98.199"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe “elf” file from a trusted internal server.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges (e.g., src_ip in {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16})
Scenario: A scheduled job runs a nightly script that downloads a trusted “elf” file from a public repository (e.g., GitHub) to update internal tools.
Filter/Exclusion: Exclude URLs that match known public code repositories (e.g., url contains "github.com" or "gitlab.com")
Scenario: A developer is using a CI/CD pipeline to build a Docker image, which includes a trusted “elf” binary as part of the build process.
Filter/Exclusion: Exclude URLs that are part of CI/CD toolchains (e.g., url contains "docker.io" or "registry.hub.docker.com")
Scenario: A system update process automatically downloads a trusted “elf” file from a company’s internal software repository to patch a system.
Filter/Exclusion: Exclude URLs that match internal software distribution servers (e.g., url contains "internal-repo.example.com")
Scenario: A security analyst is performing a red team exercise and uses a legitimate “elf” file as part of a controlled simulation to test network defenses.
Filter/Exclusion: Exclude URLs that are associated with red teaming tools or controlled environments (e.g., url contains "redteam.example.com" or "simulator.example.com")