Adversaries may be using malicious URLs tagged as elf to deliver payloads or exfiltrate data, leveraging compromised or phishing-based attack vectors. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: elf Total URLs: 9 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.159/bins/px86 | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/pmpsl | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/x86_64 | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/pmips | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/pspc | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/psh4 | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/pppc | online | malware_download | 2026-05-10 |
hxxp://176.65.139.159/bins/pm68k | online | malware_download | 2026-05-10 |
hxxp://176.65.139.11/bot.i486 | online | malware_download | 2026-05-10 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: elf
let malicious_domains = dynamic(["176.65.139.159", "176.65.139.11"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.159", "176.65.139.11"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new endpoint detection and response (EDR) tool by uploading a file containing a list of known benign URLs, including some tagged as elf for testing purposes.
Filter/Exclusion: Exclude URLs that match the internal testing domain or file paths associated with the EDR tool’s test environment.
Scenario: A scheduled job runs to fetch and parse a CSV file containing URLs from a trusted internal source, such as a security intelligence feed, which includes some URLs tagged as elf due to outdated categorization.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or domains listed in the enterprise’s trusted URL list.
Scenario: A developer is using a code linter or static analysis tool that generates temporary files with .elf extensions (e.g., pyelftools or elfutils) during the build process.
Filter/Exclusion: Exclude files with extensions like .elf that are generated by specific development tools or located in build directories.
Scenario: A system is running a legitimate network scanning tool like nmap or Masscan, which generates temporary files with .elf extensions during scan output processing.
Filter/Exclusion: Exclude files that match the known output directories or file patterns of network scanning tools.
Scenario: An enterprise uses a SIEM tool like Splunk or ELK to ingest logs from a variety of sources, and one of the log sources includes URLs tagged as elf as part of its metadata or enrichment process.
Filter/Exclusion: Exclude URLs that are part of the SIEM tool’s internal metadata or come from specific log sources known to include false positives.