← Back to SOC feed Coverage →

URLhaus: elf Malicious URLs

ioc-hunt HIGH URLhaus
CommonSecurityLogDnsEvents
iocurlhaus
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at URLhaus →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Hunt package for 5 malicious URLs tagged as elf

IOC Summary

Threat: elf Total URLs: 5 Active URLs: 5

URLStatusThreatDate Added
hxxp://45.135.194.27/arm7onlinemalware_download2026-03-19
hxxp://45.135.194.27/mipsonlinemalware_download2026-03-19
hxxp://45.135.194.27/arm5onlinemalware_download2026-03-19
hxxp://45.135.194.27/mpslonlinemalware_download2026-03-19
hxxp://45.135.194.27/arm4onlinemalware_download2026-03-19

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["45.135.194.27"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["45.135.194.27"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DnsEventsEnsure this data connector is enabled

References

Original source: https://urlhaus.abuse.ch/