The hypothesis is that the detected URLs are malicious ELF files used to deliver payloads or execute arbitrary code on compromised systems. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control communications or initial compromise vectors.
IOC Summary
Threat: elf Total URLs: 4 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://92.42.100.131/meow/mpsl | online | malware_download | 2026-05-19 |
hxxp://92.42.100.131/meow/mips | online | malware_download | 2026-05-19 |
hxxp://92.42.100.131/meow/x86 | online | malware_download | 2026-05-19 |
hxxp://220.158.232.160/mips | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["92.42.100.131", "220.158.232.160"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["92.42.100.131", "220.158.232.160"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing a few legitimate .elf files for internal validation.
Filter/Exclusion: Exclude URLs containing the string internal-test or dev- in the domain.
Scenario: A scheduled job runs a script that downloads a .elf file from a known internal repository to update a local toolchain or build environment.
Filter/Exclusion: Exclude URLs that match the internal artifact repository domain (e.g., artifactory.internal.company.com).
Scenario: A developer is using a CI/CD pipeline to build a container image, and the build process temporarily downloads a .elf file from a trusted registry as part of a dependency.
Filter/Exclusion: Exclude URLs that contain registry.hub.docker.com or registry.company.com and are part of a known CI/CD tool (e.g., Jenkins, GitLab CI).
Scenario: A security team member is performing a red team exercise and uses a legitimate .elf file as part of a controlled simulation to test network defenses.
Filter/Exclusion: Exclude URLs that match the red team testing domain (e.g., redteam.lab.company.net) or include the query parameter ?simulate=true.
Scenario: A system is running a scheduled backup job that temporarily accesses a .elf file from a cloud storage bucket (e.g., AWS S3) to restore a configuration.
Filter/Exclusion: Exclude URLs that contain s3.amazonaws.com or backup- in the bucket name, and are associated with known backup tools (e.g., AWS Backup, Veeam).