Adversaries may be using elf-malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or phishing-based attack vectors. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: elf Total URLs: 7 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://107.189.19.55/x86_64 | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/m68k | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/sh4 | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/ppc | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/arm6 | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/mips | offline | malware_download | 2026-05-07 |
hxxp://107.189.19.55/arm7 | offline | malware_download | 2026-05-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["107.189.19.55"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["107.189.19.55"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint security tool by downloading a known safe ELF file from a trusted internal repository.
Filter/Exclusion: Exclude URLs that match internal repository domains (e.g., internal-repo.example.com) or files with known safe hashes.
Scenario: A scheduled job runs to update a package manager like apt or yum, which temporarily downloads ELF binaries from official repositories (e.g., archive.ubuntu.com).
Filter/Exclusion: Exclude URLs containing known package manager domains (e.g., archive.ubuntu.com, rpmfusion.org) or files with known package hashes.
Scenario: A developer is using strace or gdb to debug a legitimate ELF binary, which results in temporary network activity or file access.
Filter/Exclusion: Exclude processes associated with debugging tools (strace, gdb) or files with known debug symbols or source code paths.
Scenario: A system is running a scheduled backup job using rsync or tar that temporarily downloads or extracts ELF binaries as part of a backup restore process.
Filter/Exclusion: Exclude URLs or processes associated with backup tools (rsync, tar, backup-agent) or files with known backup-related file paths.
Scenario: A security tool like ClamAV or Sophos is performing a signature update, which includes downloading ELF binaries as part of its signature database.
Filter/Exclusion: Exclude URLs that match known security tool update domains (e.g., clamav.net, sophos.com) or files with known signature hashes.