The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 15 Active URLs: 14
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://159.223.171.245/jklarm7 | online | malware_download | 2026-05-31 |
hxxp://159.223.171.245/jklarm | online | malware_download | 2026-05-31 |
hxxp://188.132.232.81/Uns | offline | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.x86 | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.arm5 | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.arm | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.sh4 | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.arm6 | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.mpsl | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.spc | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.arc | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.mips | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.ppc | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.m68k | online | malware_download | 2026-05-31 |
hxxp://176.65.149.124/hiddenbin/boatnet.arm7 | online | malware_download | 2026-05-31 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["159.223.171.245", "176.65.149.124"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["159.223.171.245", "176.65.149.124"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate .elf files for internal validation.
Filter/Exclusion: Exclude URLs containing the string internal.test or localhost in the domain.
Scenario: A scheduled job runs a script that downloads and unpacks a .elf file as part of a software update process, such as deploying a new version of a network monitoring tool like SolarWinds or PRTG Network Monitor.
Filter/Exclusion: Exclude URLs that match the IP range or domain of known internal update servers (e.g., update.example.com).
Scenario: A security analyst is using Wireshark to analyze network traffic and manually opens a .elf file to inspect its contents for potential vulnerabilities.
Filter/Exclusion: Exclude URLs that contain the query parameter ?debug=true or ?analysis=true indicating manual inspection.
Scenario: A DevOps team is using Ansible to automate the deployment of a custom application that includes a .elf binary as part of the build process.
Filter/Exclusion: Exclude URLs that include the path /ansible-deploy/ or match the IP address of the internal CI/CD server.
Scenario: A system is running a scheduled backup job that temporarily stores a .elf file in a temporary directory for processing, such as during a log analysis task with ELK Stack.
Filter/Exclusion: Exclude URLs that contain the path /tmp/ or match the hostname of the backup server (e.g., backup-server.example.com).