The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 18 Active URLs: 18
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://94.156.152.234/bot.i486 | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.x86_64 | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/arm | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/mpsl | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/arm7 | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/arm5 | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/sh4 | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/arc | online | malware_download | 2026-05-12 |
hxxp://95.135.208.217/ppc | online | malware_download | 2026-05-12 |
hxxp://103.153.68.104/mpsl | online | malware_download | 2026-05-12 |
hxxp://103.153.68.104/mips | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.mipsrouter | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.mipsel | online | malware_download | 2026-05-12 |
hxxp://94.156.152.234/bot.mips | online | malware_download | 2026-05-12 |
hxxp://176.65.139.9/FBI.i686 | online | malware_download | 2026-05-12 |
hxxp://176.65.139.9/FBI.m68k | online | malware_download | 2026-05-12 |
hxxp://176.65.139.9/FBI.mipsel | online | malware_download | 2026-05-12 |
hxxp://176.65.139.9/FBI.mips | online | malware_download | 2026-05-12 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.9", "94.156.152.234", "95.135.208.217", "103.153.68.104"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.9", "94.156.152.234", "95.135.208.217", "103.153.68.104"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate .elf files for internal validation.
Filter/Exclusion: Exclude URLs containing the string internal-test or dev- in the domain.
Scenario: A scheduled job runs a script that downloads a .elf file from a trusted internal repository to update a local toolchain or build system.
Filter/Exclusion: Exclude URLs that match the internal artifact repository domain (e.g., artifactory.internal.corp).
Scenario: A security team member is using a tool like OSSEC or Splunk to monitor system logs and accidentally triggers a script that generates a .elf file for log analysis.
Filter/Exclusion: Exclude URLs containing the string log-analysis or splunk in the path.
Scenario: A DevOps engineer is deploying a containerized application using Docker and the build process generates a temporary .elf file as part of the build artifacts.
Filter/Exclusion: Exclude URLs that include the path /docker-build/ or contain the string build-artifact.
Scenario: A system update or patching process using Ansible or Chef temporarily creates a .elf file during the installation of a binary package on a Linux server.
Filter/Exclusion: Exclude URLs that match the IP address range of the internal patch management server or contain the string patch-.