The detection identifies potential adversary activity involving malicious URLs associated with the elf malware, which could be used to deliver payloads or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks that leverage these URLs to compromise endpoints and exfiltrate data.
IOC Summary
Threat: elf Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.149.124.ptr.pfcloud.network/hiddenbin/mips | online | malware_download | 2026-06-05 |
hxxp://176.65.149.124/hiddenbin/mips | online | malware_download | 2026-06-05 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.149.124.ptr.pfcloud.network", "176.65.149.124"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.149.124.ptr.pfcloud.network", "176.65.149.124"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by downloading a known safe ELF binary from a trusted repository.
Filter/Exclusion: Exclude URLs that match known safe repositories like https://github.com/ or https://packages.debian.org/ using a regex pattern or a custom list.
Scenario: A scheduled job runs a nightly update for a container image registry, pulling a new ELF binary from a legitimate source like Docker Hub.
Filter/Exclusion: Exclude URLs containing docker.io or registry.hub.docker.com using a domain-based filter in the detection logic.
Scenario: An IT team is performing a system cleanup and uses a tool like rsync to transfer a legitimate ELF binary from a backup server to a production host.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or internal DNS names like backup.internal.corp using IP or FQDN filtering.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins) to build and deploy a new application, which includes a legitimate ELF binary hosted on a private artifact repository.
Filter/Exclusion: Exclude URLs that match internal artifact repositories (e.g., artifactory.internal.corp) or use a custom list of approved CI/CD tool URLs.
Scenario: A system is running a legitimate security tool like ClamAV or Sophos that periodically downloads updated signature databases from their official servers.
Filter/Exclusion: Exclude URLs that match known vendor update servers (e.g., https://database.clamav.net/, https://www.sophos.com/) using a domain or URL pattern match.