Adversaries may use elf-malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or phishing-linked domains. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: elf Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://104.248.192.247/bins/nova.armv7l | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.powerpc | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.mips | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.x86_64 | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.mipsel | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.armv4l | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.i586 | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.sh4 | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.armv6l | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.i686 | online | malware_download | 2026-06-08 |
hxxp://104.248.192.247/bins/nova.armv5l | online | malware_download | 2026-06-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["104.248.192.247"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["104.248.192.247"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by accessing a known safe URL that matches the pattern of a malicious URL in the URLhaus list.
Filter/Exclusion: Exclude URLs that are part of internal testing environments or whitelisted domains (e.g., internal.test.urlhaus.com).
Scenario: A scheduled job runs to fetch updates from a public repository (e.g., git clone https://github.com/elf-project/updates.git), and the URL matches a known malicious URL in the URLhaus list.
Filter/Exclusion: Exclude URLs that are part of known safe repositories or use a whitelisted domain (e.g., github.com).
Scenario: An enterprise user is accessing a legitimate internal portal (e.g., https://portal.enterprise.com/elf) for administrative tasks, and the URL structure matches a malicious URL pattern.
Filter/Exclusion: Exclude URLs that are part of internal infrastructure or use a whitelisted subdomain (e.g., portal.enterprise.com).
Scenario: A security tool (e.g., CrowdStrike Falcon) is configured to send alerts to a centralized SIEM system, and the alert URL matches a URLhaus entry due to a false positive in the tool’s alert formatting.
Filter/Exclusion: Exclude URLs that originate from known security tools or internal monitoring systems (e.g., falcon.enterprise.com).
Scenario: A DevOps team is deploying a new containerized application using a CI/CD pipeline (e.g., Jenkins or GitLab CI) and the build process includes a URL that matches a malicious URL in the URLhaus list.
Filter/Exclusion: Exclude URLs that are part of CI/CD pipelines or use a whitelisted domain (e.g., ci.enterprise.com).