The detection identifies potential adversary activity involving malicious URLs associated with the elf malware, which could be used to deliver payloads or exfiltrate data. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging known malicious infrastructure.
IOC Summary
Threat: elf Total URLs: 5 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://207.244.199.251/hiddenbin/boatnet.mips | offline | malware_download | 2026-05-18 |
hxxp://207.244.199.251/hiddenbin/boatnet.m68k | offline | malware_download | 2026-05-18 |
hxxp://207.244.199.251/hiddenbin/boatnet.x86 | offline | malware_download | 2026-05-18 |
hxxp://207.244.199.251/hiddenbin/boatnet.sh4 | offline | malware_download | 2026-05-18 |
hxxp://207.244.199.251/hiddenbin/boatnet.arm7 | offline | malware_download | 2026-05-18 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["207.244.199.251"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["207.244.199.251"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by inputting known benign URLs from the elf category for validation purposes.
Filter/Exclusion: Exclude URLs that match the internal testing list or are tagged with test or validation in the URLhaus database.
Scenario: A scheduled job runs to fetch and process logs from a SIEM system, and the job includes a script that temporarily generates URLs for log parsing and is tagged as elf.
Filter/Exclusion: Exclude URLs that originate from known internal scripts or are associated with the SIEM log processing job ID.
Scenario: A DevOps team is deploying a new application that requires downloading dependencies from a repository, and one of the URLs is mistakenly tagged as elf during a false positive in the URLhaus database.
Filter/Exclusion: Exclude URLs that are part of a known dependency list or are associated with a specific project or CI/CD pipeline.
Scenario: A security analyst is using a tool like OSSEC or Splunk to monitor system logs and has configured a rule that generates temporary URLs for internal monitoring, which are mistakenly tagged as elf.
Filter/Exclusion: Exclude URLs that are generated by internal monitoring tools or are associated with the analyst’s username or session ID.
Scenario: A system is running a PowerShell script for administrative tasks (e.g., system cleanup or user management), and the script generates temporary URLs for internal API calls, which are falsely tagged as elf.
Filter/Exclusion: Exclude URLs that are generated by PowerShell scripts with specific execution contexts or are part of a known internal API endpoint.