The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 24 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://45.205.1.59/7e8a8c | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/caa275 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/906033 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/70cc1c | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/e59d20 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/861c97 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/d8525d | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/50c7a6 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/e44d32 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/ec5282 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/f0e44b | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/f554e9 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/0846e8 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/82b2c0 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/a8db4d | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/b0e1c3 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/4dc442 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/54660b | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/4ab9a6 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/63cba2 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/3f5b35 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/f01921 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/f1cc53 | offline | malware_download | 2026-06-11 |
hxxp://45.205.1.59/8715c3 | offline | malware_download | 2026-06-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["45.205.1.59"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.205.1.59"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe “elf” file from a trusted source.
Filter/Exclusion: Exclude URLs that match the internal testing environment or known safe domains used for testing purposes.
Scenario: A scheduled job runs to download and verify signed software updates from a secure internal repository, which includes ELF files.
Filter/Exclusion: Exclude URLs that belong to internal update servers or are tagged as “trusted” in the enterprise’s asset inventory.
Scenario: A developer is using a CI/CD pipeline to build and package a new application, which includes ELF binaries as part of the build process.
Filter/Exclusion: Exclude URLs that are part of the CI/CD pipeline or belong to internal development servers.
Scenario: A security analyst is performing a red team exercise and is using a legitimate ELF file as part of a controlled simulation.
Filter/Exclusion: Exclude URLs that are associated with red team environments or are flagged as “simulated” in the enterprise’s security testing framework.
Scenario: A backup process is transferring ELF files between servers across the network, which are not malicious but are part of standard system operations.
Filter/Exclusion: Exclude URLs that are internal network paths or are associated with backup and restore operations.