The hypothesis is that the detection identifies potential adversary activity involving the exfiltration of data through malicious URLs tagged as elf, which are known to be associated with command and control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data exfiltration attempts early in the attack lifecycle.
IOC Summary
Threat: elf Total URLs: 19 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://185.150.25.82/00101010101001/morte.mips | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.ppc | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.mpsl | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.arm6 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.sh4 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.i686 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.x86 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.arm | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.m68k | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.arm5 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.x86_64 | offline | malware_download | 2026-05-27 |
hxxp://185.150.25.82/00101010101001/morte.arm7 | offline | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.apk | online | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.x86 | online | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.ppc440 | online | malware_download | 2026-05-27 |
hxxp://143.198.83.148/luxzzxzzx/luxzz.i468 | offline | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.sh4 | online | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.ppc | online | malware_download | 2026-05-27 |
hxxp://176.65.139.99/wife.arc | offline | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.99"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.99"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few test URLs.
Filter/Exclusion: Exclude URLs that match the domain of the internal testing environment (e.g., test.shorturl.example.com).
Scenario: A scheduled job runs a script that fetches and processes a list of URLs from an internal API for reporting purposes.
Filter/Exclusion: Exclude URLs that originate from the internal API endpoint (e.g., api.reporting.example.com).
Scenario: A developer is using a tool like curl or wget to download a dependency from a public repository (e.g., GitHub) that contains a file with a .elf extension.
Filter/Exclusion: Exclude URLs that match known safe repositories (e.g., github.com, npmjs.org) and files with known safe extensions (e.g., .tar.gz, .zip).
Scenario: A security team is performing a red team exercise and uses a legitimate tool like nmap or metasploit to simulate network activity, which includes accessing a file with a .elf extension.
Filter/Exclusion: Exclude URLs that match the IP range or domain used during red team exercises (e.g., 192.168.1.0/24, redteam.example.com).
Scenario: A system is running a scheduled backup job that archives logs and includes a file with a .elf extension as part of the archive (e.g., log_archive.elf).
Filter/Exclusion: Exclude URLs that match the backup server or archive path (e.g., backup.example.com, /var/backups/).