The ThreatFox: Havoc IOCs rule detects potential adversary activity associated with the Havoc malware family, leveraging known indicators of compromise to identify malicious behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging Havoc for data exfiltration or command and control operations.
IOC Summary
Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 62[.]171[.]190[.]148:443 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 31[.]57[.]201[.]105:443 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 2[.]26[.]96[.]209:8080 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["31.57.201.105", "62.171.190.148", "2.26.96.209"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.57.201.105", "62.171.190.148", "2.26.96.209"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if the command includes a suspicious-looking argument that matches a Havoc IOC.
Filter/Exclusion: Exclude processes where the command line includes rsync and the destination path is within a known backup directory (e.g., /backup/ or /var/backups/).
Scenario: Admin Task Using systemd-timedatectl
Description: An administrator may run systemd-timedatectl to adjust system time, which could include arguments that resemble Havoc IOCs.
Filter/Exclusion: Exclude processes where the command line includes systemd-timedatectl and the argument is related to time settings (e.g., --set-time, --set-timezone).
Scenario: Log Rotation Using logrotate
Description: The logrotate utility may generate commands that include paths or arguments matching Havoc IOCs during routine log rotation tasks.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the configuration file path is within the standard /etc/logrotate.d/ directory.
Scenario: Database Maintenance Using pg_dump
Description: A database administrator may use pg_dump to back up PostgreSQL databases, and the command line may include paths or options that match Havoc IOCs.
Filter/Exclusion: Exclude processes where the command line includes pg_dump and the destination path is within a known database backup directory (e.g., /var/lib/postgresql/backups/).
Scenario: Network Configuration Using nmcli
Description: Network manager commands like nmcli may be used to configure network interfaces, and the command line may include arguments that