The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 17 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.148.164/main_arm5 | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_m68k | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_ppc | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_x86_64 | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_sh4 | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_mips | online | malware_download | 2026-05-17 |
hxxp://162.141.92.173/mipsel | offline | malware_download | 2026-05-17 |
hxxp://162.141.92.173/mips | offline | malware_download | 2026-05-17 |
hxxp://162.141.92.173/x86_64 | offline | malware_download | 2026-05-17 |
hxxp://162.141.92.173/arm6 | offline | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_arm | online | malware_download | 2026-05-17 |
hxxp://176.65.148.164/main_x86 | online | malware_download | 2026-05-17 |
hxxp://162.141.92.173/arm7 | offline | malware_download | 2026-05-17 |
hxxp://72.255.18.128:46600/Mozi.7 | offline | malware_download | 2026-05-17 |
hxxp://72.255.3.73:41926/Mozi.7 | offline | malware_download | 2026-05-17 |
hxxp://179.43.182.70/bins/Mercury.arm7 | online | malware_download | 2026-05-17 |
hxxp://176.65.139.168/bins/parm7 | offline | malware_download | 2026-05-17 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.148.164", "179.43.182.70"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.148.164", "179.43.182.70"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a .elf file from a known trusted repository (e.g., a company’s internal repo or a public package manager like apt or yum).
Filter/Exclusion: Check the source URL against a whitelist of approved update servers or use a filter like url contains "internal-repo.com" or "trusted-update-source.com"
Scenario: Admin Task - Manual File Extraction
Description: An admin manually downloads a .elf file from a secure internal URL (e.g., https://internal.tools/elf-tool) to test or deploy a new tool.
Filter/Exclusion: Use a filter like url contains "internal.tools" or "internal-elf-tool" or check the source against a list of known admin tools.
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a .elf binary from a secure artifact repository (e.g., Nexus, Artifactory) as part of a build process.
Filter/Exclusion: Filter by url contains "nexus.company.com" or "artifactory.company.com" or check the URL against a list of known CI/CD artifact hosts.
Scenario: Log Analysis Tool Import
Description: A log analysis tool (e.g., Splunk, ELK stack) imports a .elf file from a secure internal URL for processing or analysis.
Filter/Exclusion: Use a filter like url contains "splunk-integration.com" or "log-analysis-tool.com" or check the URL against a list of known internal log tools.
Scenario: Internal Tool Deployment via HTTP
Description: A company-developed internal tool (e.g., `internal