The detection identifies potential adversary activity involving malicious URLs associated with the elf malware, which could be used to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.
IOC Summary
Threat: elf Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://static.210.112.105.178.clients.your-server.de/bins/px86 | online | malware_download | 2026-05-24 |
hxxp://178.105.112.210/bins/px86 | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["static.210.112.105.178.clients.your-server.de", "178.105.112.210"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["static.210.112.105.178.clients.your-server.de", "178.105.112.210"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortener tool (short.url) by generating and accessing a test URL that is flagged as malicious by URLhaus.
Filter/Exclusion: Exclude URLs containing the string test.short.url or any URL that includes the domain short.url in the http_host field.
Scenario: A scheduled job runs a script that fetches and processes a list of URLs from an internal repository (internal-repo.com) for validation purposes, and one of the URLs is mistakenly tagged as malicious in URLhaus.
Filter/Exclusion: Exclude URLs originating from the domain internal-repo.com using the src_ip or http_host field.
Scenario: A DevOps team is deploying a new application using a CI/CD pipeline (ci.pipeline.example.com), and the deployment script includes a temporary URL for artifact download that is flagged as malicious.
Filter/Exclusion: Exclude URLs that match the pattern artifact-download.ci.pipeline.example.com or any URL containing ci.pipeline.example.com in the http_host.
Scenario: A security analyst is performing a red team exercise and uses a legitimate tool (metasploit-framework.com) to simulate a phishing attack, which results in a URL being flagged as malicious.
Filter/Exclusion: Exclude URLs that contain the domain metasploit-framework.com or any URL with the substring redteamexercise.
Scenario: A backup system (backup-system.example.com) generates temporary URLs for file access during a restore process, and one of these URLs is incorrectly flagged as malicious by URLhaus.
Filter/Exclusion: Exclude URLs that include the domain backup-system.example.com or any URL with the path /restore-temp/.