The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 26 Active URLs: 26
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://156.238.242.196/linux_ppc64el | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mips64 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mipsel_hardfloat | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_amd64 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mips64el | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mips_softfloat | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mipsel_softfloat | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_mips_hardfloat | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_ppc64 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/linux_386 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.i686 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.mips | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.i486 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.ppc440 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/MIPS | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.ppc | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.mpsl | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.dbg | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.x86 | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.spc | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.m68k | online | malware_download | 2026-05-11 |
hxxp://156.238.242.196/manji.sh4 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.x86_64 | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.mips | online | malware_download | 2026-05-11 |
hxxp://130.78.217.194:8888/bot.android-x86_64 | online | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["156.238.242.196", "130.78.217.194"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["156.238.242.196", "130.78.217.194"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint protection tool by downloading a known safe “elf” file from a trusted internal repository.
Filter/Exclusion: Exclude URLs matching internal repository domains (e.g., internal-repo.example.com), or use a custom field like src_ip to filter internal IP ranges.
Scenario: A scheduled job runs a nightly script that downloads a pre-signed S3 bucket object containing a legitimate “elf” file for backup purposes.
Filter/Exclusion: Exclude URLs containing s3.amazonaws.com or use a custom field like url_path to filter known backup paths (e.g., /backup/).
Scenario: A DevOps engineer is deploying a new container image using a CI/CD pipeline, which includes a legitimate “elf” binary as part of the deployment package.
Filter/Exclusion: Exclude URLs containing ci-cd.example.com or use a custom field like job_name to filter known CI/CD pipeline URLs.
Scenario: A security analyst is performing a red team exercise and uses a legitimate “elf” file as part of a controlled simulation to test incident response procedures.
Filter/Exclusion: Exclude URLs containing redteam.example.com or use a custom field like user to filter known red team user accounts.
Scenario: A system update process automatically downloads a legitimate “elf” file from a known vendor’s update server to patch a system.
Filter/Exclusion: Exclude URLs containing updates.vendor.com or use a custom field like update_type to filter known update-related URLs.