The detection identifies potential adversary activity involving malicious URLs associated with the elf malware, which could be used for initial compromise or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats before they lead to broader network infiltration.
IOC Summary
Threat: elf Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://157.230.61.51/jklarm | online | malware_download | 2026-06-15 |
hxxp://157.230.61.51/jklarm7 | online | malware_download | 2026-06-15 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["157.230.61.51"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["157.230.61.51"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool by visiting a known safe URL that matches the pattern of a malicious URL.
Filter/Exclusion: Exclude URLs containing the string testurlshortener.com or any URL that includes the substring safe-test-.
Scenario: A scheduled job runs to fetch updates from a trusted internal repository, which includes a URL that temporarily matches the signature of a malicious URL.
Filter/Exclusion: Exclude URLs that originate from the internal domain internal-repo.example.com or have a path containing /updates/.
Scenario: A developer is using a tool like curl or wget to download a dependency from a public package registry, which is mistakenly tagged as malicious in URLhaus.
Filter/Exclusion: Exclude URLs that match the pattern https://registry.example.com/packages/ or any URL that includes the substring npm or pip.
Scenario: A security team is performing a red team exercise and uses a legitimate tool like Metasploit or Nmap with a custom payload URL that is falsely flagged by the rule.
Filter/Exclusion: Exclude URLs that contain the substring redteamexercise or are associated with the IP range 192.168.0.0/16.
Scenario: A system is running a scheduled backup job that uses a script to download a backup archive from an internal server, which is mistakenly tagged as malicious.
Filter/Exclusion: Exclude URLs that start with https://backup.example.com/ or have a query parameter ?action=backup.