The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 10 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://188.132.232.81/clZO | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/3Cv | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/sP9 | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/M79V | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/rko | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/xlT | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/47H | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/RZv | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/q6e | offline | malware_download | 2026-06-03 |
hxxp://188.132.232.81/m1Aj | offline | malware_download | 2026-06-03 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["188.132.232.81"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["188.132.232.81"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that includes downloading a .elf file from a known trusted repository (e.g., a vendor’s update server).
Filter/Exclusion: Exclude URLs from known trusted update servers (e.g., *.example.com/update, *.vendor.com/support).
Scenario: Admin Task for Log Analysis
Description: An admin manually downloads a .elf file for log analysis or forensic purposes using a tool like tcpdump or Wireshark with a local file.
Filter/Exclusion: Exclude URLs containing localhost, 127.0.0.1, or internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a .elf binary artifact from a private registry or internal artifact store.
Filter/Exclusion: Exclude URLs matching internal artifact repositories (e.g., artifactory.example.com, registry.example.com).
Scenario: User-Initiated File Transfer
Description: A user transfers a .elf file from a local machine to a remote server using scp or rsync for backup or sharing purposes.
Filter/Exclusion: Exclude URLs containing scp://, rsync://, or internal file transfer protocols.
Scenario: Security Tool Signature Update
Description: A security tool (e.g., Snort, Suricata) updates its signature database, which includes .elf files from a trusted source like VirusTotal