The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 28 Active URLs: 13
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://103.113.106.117:25795/i | online | malware_download | 2026-05-20 |
hxxp://203.76.108.6:62336/i | online | malware_download | 2026-05-20 |
hxxp://103.210.123.113:27350/i | online | malware_download | 2026-05-20 |
hxxp://190.183.254.69:9578/i | online | malware_download | 2026-05-20 |
hxxp://182.23.87.242:48272/i | online | malware_download | 2026-05-20 |
hxxp://59.3.108.87:12841/i | online | malware_download | 2026-05-20 |
hxxp://14.35.13.228:29555/i | online | malware_download | 2026-05-20 |
hxxp://65.186.8.21:38428/i | offline | malware_download | 2026-05-20 |
hxxp://183.109.132.168:1103/i | online | malware_download | 2026-05-20 |
hxxp://212.51.156.55:55080/i | online | malware_download | 2026-05-20 |
hxxp://181.225.67.10:4849/i | online | malware_download | 2026-05-20 |
hxxp://43.229.20.247:2874/i | offline | malware_download | 2026-05-20 |
hxxp://112.78.191.254:57162/i | online | malware_download | 2026-05-20 |
hxxp://95.43.75.2:19117/i | offline | malware_download | 2026-05-20 |
hxxp://211.203.168.162:3974/i | online | malware_download | 2026-05-20 |
hxxp://211.51.122.95:26075/i | offline | malware_download | 2026-05-20 |
hxxp://162.248.101.153:7011/i | offline | malware_download | 2026-05-20 |
hxxp://79.117.51.134:58647/i | online | malware_download | 2026-05-20 |
hxxp://47.111.109.74:8884/i | offline | malware_download | 2026-05-20 |
hxxp://47.111.109.74:8882/i | offline | malware_download | 2026-05-20 |
hxxp://47.111.109.74:8880/i | offline | malware_download | 2026-05-20 |
hxxp://162.248.101.153:7001/i | offline | malware_download | 2026-05-20 |
hxxp://45.198.224.42:88/i | offline | malware_download | 2026-05-20 |
hxxp://176.100.36.247:8084/i | offline | malware_download | 2026-05-20 |
hxxp://47.111.109.74:8886/i | offline | malware_download | 2026-05-20 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["181.225.67.10", "112.78.191.254", "212.51.156.55", "79.117.51.134", "103.210.123.113", "14.35.13.228", "190.183.254.69", "182.23.87.242", "59.3.108.87", "103.113.106.117", "183.109.132.168", "203.76.108.6", "211.203.168.162"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["181.225.67.10", "112.78.191.254", "212.51.156.55", "79.117.51.134", "103.210.123.113", "14.35.13.228", "190.183.254.69", "182.23.87.242", "59.3.108.87", "103.113.106.117", "183.109.132.168", "203.76.108.6", "211.203.168.162"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job Using elf Tool
Description: A legitimate scheduled backup job uses the elf tool to archive and compress system files, which may trigger the rule due to the presence of URLs in the archive metadata.
Filter/Exclusion: Exclude URLs associated with backup jobs that use the elf tool and are scheduled via cron or systemd with known backup directories.
Scenario: Admin Task to Generate elf Reports
Description: An administrator runs a script using the elf tool to generate system diagnostics or performance reports, which may include URLs in the output or logs.
Filter/Exclusion: Exclude URLs originating from admin scripts that are executed via bash or sh and are located in the /opt/admin_tools/ directory.
Scenario: CI/CD Pipeline Using elf for Artifact Packaging
Description: A CI/CD pipeline uses the elf tool to package application artifacts, which may include URLs in the build metadata or configuration files.
Filter/Exclusion: Exclude URLs from build processes that occur in the /var/lib/jenkins/ directory and are associated with known CI/CD pipelines like Jenkins or GitLab CI.
Scenario: Log Aggregation Tool Using elf for Log Compression
Description: A log aggregation system uses the elf tool to compress and transfer logs, which may include URLs in the log files or metadata.
Filter/Exclusion: Exclude URLs from log compression tasks executed by logrotate or rsyslog that target the /var/log/ directory.
Scenario: Internal Monitoring Tool Using elf for Data Export
Description: An internal monitoring tool uses the elf tool to export data to a central repository, which may include URLs in the export configuration or metadata.
Filter/Exclusion: Exclude URLs from