The ThreatFox: Havoc IOCs rule detects potential adversary activity associated with the Havoc malware family by identifying known indicators of compromise linked to its deployment and persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could evade traditional detection methods.
IOC Summary
Malware Family: Havoc Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]134[.]139[.]176:8443 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 194[.]33[.]48[.]221:8081 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 94[.]198[.]51[.]234:443 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Havoc
let malicious_ips = dynamic(["91.134.139.176", "194.33.48.221", "94.198.51.234"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.134.139.176", "194.33.48.221", "94.198.51.234"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using rsync
Description: A legitimate scheduled backup job using rsync may trigger the rule if the command includes a path or argument that matches a known Havoc IOC.
Filter/Exclusion: Exclude processes where the command line includes rsync and the destination path is a known backup directory (e.g., /backup/ or /var/backups/).
Scenario: Admin Task Using tar for Archive Creation
Description: An administrator may use tar to create archives, which could include paths or arguments that match Havoc IOCs.
Filter/Exclusion: Exclude processes where the command line includes tar and the output file path is within a system archive directory (e.g., /var/archives/ or /root/backup/).
Scenario: Log Rotation Using logrotate
Description: The logrotate utility may generate commands that include paths or parameters resembling Havoc IOCs during log rotation tasks.
Filter/Exclusion: Exclude processes where the command line includes logrotate and the log file path is within a standard log directory (e.g., /var/log/ or /etc/logrotate.d/).
Scenario: Software Update Using apt or yum
Description: A package manager like apt or yum may execute commands that include paths or arguments matching Havoc IOCs during an update or install process.
Filter/Exclusion: Exclude processes where the command line includes apt or yum and the package name or path is a known system package (e.g., apt install with package names like nginx, apache2, etc.).
Scenario: Database Backup Using mysqldump
Description: A database administrator may use