The ThreatFox: Havoc IOCs rule detects potential adversary activity linked to the Havoc malware family by identifying known indicators of compromise associated with this advanced threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to persistent, stealthy malware infections.
IOC Summary
Malware Family: Havoc Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 44[.]215[.]161[.]149:4005 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 178[.]105[.]40[.]204:443 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["44.215.161.149", "178.105.40.204"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["44.215.161.149", "178.105.40.204"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam
Filter/Exclusion: Exclude process names containing “Veeam” or “backup”
Rationale: Veeam backups may execute scripts or use tools that match Havoc IOCs during routine operations.
Scenario: Windows Update using Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude processes with “wsus” or “update” in the command line
Rationale: WSUS may trigger IOCs related to update mechanisms, which can be mistaken for malicious activity.
Scenario: Admin task using PowerShell for log management with LogParser
Filter/Exclusion: Exclude processes with “LogParser” or “PowerShell” in the command line
Rationale: Log management tasks using LogParser may involve scripts or tools that match Havoc IOCs.
Scenario: Database maintenance using SQL Server Agent Jobs
Filter/Exclusion: Exclude processes with “SQLAgent” or “SQL Server” in the command line
Rationale: SQL Server Agent jobs may execute scripts or use tools that resemble Havoc IOCs during maintenance tasks.
Scenario: Network monitoring using Wireshark with custom scripts
Filter/Exclusion: Exclude processes with “Wireshark” or “tcpdump” in the command line
Rationale: Wireshark or tcpdump may be used with scripts that trigger IOCs associated with Havoc.