The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://152.236.7.10/eat/some/godisdead.6 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.8 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.2 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.13 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.7 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.10 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.5 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.11 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.4 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.1 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.9 | online | malware_download | 2026-06-09 |
hxxp://152.236.7.10/eat/some/godisdead.3 | online | malware_download | 2026-06-09 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["152.236.7.10"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["152.236.7.10"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a scheduled backup and the backup tool (e.g., rsync, Veeam, or Commvault) generates temporary files with .elf extensions during the process.
Filter/Exclusion: Exclude URLs containing the string backup or rsync in the URL path.
Scenario: A developer is using a code linter or formatter (e.g., ESLint, Prettier, or Black) that generates temporary files with .elf extensions during the build process.
Filter/Exclusion: Exclude URLs containing the string lint, format, or build in the URL path.
Scenario: A system is running a scheduled job that uses a tool like Ansible or Chef to deploy configurations, and the deployment process temporarily creates .elf files on the server.
Filter/Exclusion: Exclude URLs containing the string ansible, chef, or deploy in the URL path.
Scenario: A user is downloading a legitimate .elf file (e.g., a binary for a development tool like Go, Rust, or Node.js) from a trusted repository (e.g., GitHub, GitLab, or SourceForge).
Filter/Exclusion: Exclude URLs that match known trusted repositories or contain the string github.com, gitlab.com, or sourceforge.net.
Scenario: A security tool (e.g., ClamAV, Sophos, or Bitdefender) is performing a scan and generates temporary files with .elf extensions as part of its analysis.
Filter/Exclusion: Exclude URLs containing the string scan, clamav, sophos, or bitdefender in the URL path.