The hypothesis is that the detected URLs are associated with elf malware, which is used for persistence and remote code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration.
IOC Summary
Threat: elf Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.156.87.194/main_arm6 | online | malware_download | 2026-04-19 |
hxxp://45.156.87.194/main_mpsl | online | malware_download | 2026-04-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["45.156.87.194"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.156.87.194"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by downloading a known benign ELF file from a trusted internal repository.
Filter/Exclusion: Exclude URLs matching internal repository domains (e.g., internal-repo.example.com) or use a custom field like url.contains("internal-repo").
Scenario: A scheduled job runs to update a local cache of ELF binaries used for internal software development, and the update process includes downloading a legitimate ELF file from a public repository like GitHub.
Filter/Exclusion: Exclude URLs containing github.com or use a custom field like url.contains("github.com") and filter by process.name to exclude known update tools (e.g., git, curl).
Scenario: A developer is using a tool like strace or gdb to debug a legitimate ELF binary, and the tool temporarily accesses a URL for debugging purposes.
Filter/Exclusion: Exclude URLs that match known debugging tools or use a custom field like process.name to filter out strace, gdb, or valgrind.
Scenario: A system is running a scheduled backup job that uses a tool like rsync or tar to archive files, and the process temporarily accesses a URL for metadata or checksum purposes.
Filter/Exclusion: Exclude URLs containing checksum or metadata in the query string, or use a custom field like process.name to exclude backup tools (e.g., rsync, tar).
Scenario: A security analyst is using a tool like ELFbin or readelf to analyze a suspicious ELF file, and the analysis process temporarily accesses a URL for signature lookup.
Filter/Exclusion: Exclude URLs containing signature or lookup in the path, or use a custom field like `