The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 30 Active URLs: 22
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnx86_64xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnmicroblazexnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnsh4xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnriscv32xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnmipsxnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnor1kxnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnsh2xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxni386xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnaarch64xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnpowerpcxnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnriscv64xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnloongarch64xnxn | online | malware_download | 2026-04-18 |
hxxp://45.135.193.114/bins/xnxnxnxnxnxnxnxnm68kxnxn | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.sh4 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.i686 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.arm6 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.x86 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.arm7 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.arm5 | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.mpsl | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.ppc | online | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.arm4 | offline | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.m68k | offline | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.arc | offline | malware_download | 2026-04-18 |
hxxp://176.65.139.115/FBI.spc | offline | malware_download | 2026-04-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["45.135.193.114", "176.65.139.115"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.135.193.114", "176.65.139.115"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by inputting known benign URLs from the elf category for validation.
Filter/Exclusion: Exclude URLs that match the elf category and are sourced from internal testing environments or whitelisted domains.
Scenario: A scheduled job runs to update the enterprise’s URL reputation database, which includes fetching and processing URLs tagged as elf from a trusted source.
Filter/Exclusion: Exclude URLs that originate from known internal or trusted update services, such as url-reputation-service.example.com.
Scenario: A developer is using a static analysis tool like SonarQube or Snyk to scan code for potential vulnerabilities, and the tool generates URLs with the elf tag during its analysis process.
Filter/Exclusion: Exclude URLs that are generated by static analysis tools or are part of code scanning workflows, such as those containing sonar-scanner or snyk in the URL path.
Scenario: An IT operations team is running a PowerShell script to automate system health checks, and the script temporarily generates URLs with the elf tag for logging or reporting purposes.
Filter/Exclusion: Exclude URLs that contain PowerShell or ps1 in the query string, or that are generated by internal automation scripts.
Scenario: A security team is conducting a red team exercise and uses a tool like Metasploit to simulate a phishing attack, which includes generating URLs with the elf tag for testing.
Filter/Exclusion: Exclude URLs that are part of internal security testing or originate from known red team infrastructure, such as redteam.example.com or metasploit.local.