Adversaries may be using elf-malicious URLs to deliver payloads or exfiltrate data, leveraging compromised or phishing-based vectors to compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: elf Total URLs: 8 Active URLs: 8
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.188/2s3dkw7s/ljwqgms.x86_64 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/iovmytx.i586 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/einqgiy.mips64 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/znebtbj.i686 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/nbhpcpg.mips | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/lduhsjo.i486 | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/tpprwsu.ppc | online | malware_download | 2026-05-21 |
hxxp://176.65.139.188/2s3dkw7s/edykljw.mpsl | online | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.188"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.188"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by entering known benign URLs into a test environment.
Filter/Exclusion: Exclude URLs that match the internal test URL list or any URLs containing the string test-url-.
Scenario: A scheduled job runs to update a software repository and downloads a package from a known secure source, which includes a file with the .elf extension.
Filter/Exclusion: Exclude URLs that match the internal software repository domain or any URLs containing the string software-repo.
Scenario: A user is performing a system cleanup and uses a tool like find or rm to delete old files, which temporarily generates a file with an .elf extension.
Filter/Exclusion: Exclude processes associated with the find or rm commands, or filter by process names like find, rm, or clean-up-script.
Scenario: A DevOps pipeline is deploying a container image that includes a binary file with an .elf extension as part of the build process.
Filter/Exclusion: Exclude URLs that match the internal CI/CD pipeline domain or any URLs containing the string ci-pipeline or build-artifact.
Scenario: An endpoint protection tool is scanning a user’s local file system and identifies a legitimate .elf file as suspicious due to its file type.
Filter/Exclusion: Exclude files with the .elf extension that are located in known safe directories like /usr/bin or /opt, or filter by file paths containing system or bin.