The hypothesis is that the detected URLs are malicious ELF files used by adversaries to deliver payloads or execute code on compromised systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: elf Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.135.194.27/arm7 | online | malware_download | 2026-03-19 |
hxxp://45.135.194.27/mips | online | malware_download | 2026-03-19 |
hxxp://45.135.194.27/arm5 | online | malware_download | 2026-03-19 |
hxxp://45.135.194.27/mpsl | online | malware_download | 2026-03-19 |
hxxp://45.135.194.27/arm4 | online | malware_download | 2026-03-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["45.135.194.27"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.135.194.27"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a benign file that includes a URL to a test environment.
Filter/Exclusion: Exclude URLs that match internal testing domains (e.g., *.internal.test, *.dev.example.com) or use a field like url_domain to filter out known internal domains.
Scenario: A scheduled job runs to fetch updates from a public repository (e.g., GitHub) that includes a URL to a script used for automated configuration management (e.g., Ansible playbook).
Filter/Exclusion: Exclude URLs that match known public repositories or use a url_path filter to ignore paths like /releases/ or /download/.
Scenario: A user is accessing a legitimate URL from a security tool (e.g., CrowdStrike Falcon, Microsoft Defender ATP) that is used for threat intelligence sharing.
Filter/Exclusion: Exclude URLs that are known to be part of security tool integrations (e.g., *.crowdstrike.com, *.microsoft.com) or use a url_category field to filter out “security” or “intelligence” categories.
Scenario: A system is running a scheduled backup job that uses a cloud storage URL (e.g., AWS S3 bucket) to store temporary files.
Filter/Exclusion: Exclude URLs that match cloud storage buckets (e.g., *.s3.amazonaws.com, *.blob.core.windows.net) or use a url_scheme filter to ignore s3:// or blob:// URLs.
Scenario: A developer is using a CI/CD pipeline (e.g., Jenkins, GitLab CI) to fetch dependencies from a public package registry (e.g., npm, PyPI), which includes URLs that are flagged as malicious by URLhaus.
Filter/Exclusion: Exclude