The hunt hypothesis detects adversaries using malicious URLs associated with the elf malware family to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches and lateral movement attempts.
IOC Summary
Threat: elf Total URLs: 14 Active URLs: 14
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://103.77.246.173:8888/nerv.sh4 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.m68k | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.ppc | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.x86 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.x86_32 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.x86_64 | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.sparc | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.mips | online | malware_download | 2026-05-08 |
hxxp://103.77.246.173:8888/nerv.mpsl | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.powerpc | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.i686 | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.m68k | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.i586 | online | malware_download | 2026-05-08 |
hxxp://176.65.139.11/bot.x86_64 | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["103.77.246.173", "176.65.139.11"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known safe “elf” file from a trusted source.
Filter/Exclusion: Exclude URLs that match the internal testing domain or include a specific query parameter like ?test=true.
Scenario: A scheduled job runs a nightly backup process that downloads a script file (.elf) from an internal artifact repository for deployment.
Filter/Exclusion: Exclude URLs that originate from internal artifact repositories (e.g., artifactory.internal.com) or match a known backup tool name (e.g., backup_script_elf.sh).
Scenario: A developer is using a CI/CD pipeline to build a container image, and the build process temporarily downloads an ELF binary from a public registry for testing.
Filter/Exclusion: Exclude URLs that contain the substring ci-cd or match the registry domain (e.g., registry.hub.docker.com).
Scenario: An IT admin is performing a system cleanup and uses a script to remove old ELF files from a server, which temporarily accesses a local file path as a URL in a log.
Filter/Exclusion: Exclude URLs that start with file:// or match internal file system paths (e.g., /var/log/elf_cleanup.log).
Scenario: A security tool (e.g., CrowdStrike Falcon) is configured to download a signature update file in ELF format from a known secure endpoint.
Filter/Exclusion: Exclude URLs that match the endpoint used by the security tool (e.g., falcon.sig.update.example.com) or contain the string signature_update.