The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 4 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://95.214.53.157:37641/yui/86u5 | online | malware_download | 2026-06-14 |
hxxp://95.214.53.157:37641/yui/86u4 | online | malware_download | 2026-06-14 |
hxxp://95.214.53.157:37641/yui/m4y | online | malware_download | 2026-06-14 |
hxxp://152.89.76.240/monero.arm7 | offline | malware_download | 2026-06-14 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["95.214.53.157"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["95.214.53.157"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe URL that matches the pattern of a malicious URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or whitelisted by the URL filtering tool (e.g., internal-test.example.com).
Scenario: A scheduled job runs a script that downloads a legitimate software update from a trusted source, which happens to be tagged as an ELF file in the URLhaus database due to a false positive.
Filter/Exclusion: Exclude URLs that match known software update domains (e.g., updates.example.com or download.examplecorp.com).
Scenario: A developer is using a CI/CD pipeline to push code to a staging environment, and the pipeline includes a step that fetches a dependency from a public repository, which is mistakenly flagged as a malicious ELF URL.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories (e.g., artifactory.example.com or nexus.examplecorp.com).
Scenario: An admin is performing a system cleanup and uses a tool like find or rsync to transfer files between servers, which may include ELF files that are flagged as malicious URLs due to a false positive.
Filter/Exclusion: Exclude URLs that match internal file transfer protocols or IP ranges (e.g., 10.0.0.0/8 or 192.168.0.0/16).
Scenario: A security tool like OSSEC or Splunk is configured to send alerts via email, and the email server’s URL is mistakenly flagged as a malicious ELF URL in the URLhaus database.
Filter/Exclusion: Exclude URLs that match internal email server addresses (e.g., `mail.example.com