The ThreatFox: Remus IOCs rule detects potential adversary activity linked to the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]211[.]191[.]95:4190 | botnet_cc | 2026-06-13 | 75% |
| url | hxxp://mottla.shop:4190 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remus
let malicious_ips = dynamic(["195.211.191.95"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["195.211.191.95"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://mottla.shop:4190"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the Veeam service or with command-line arguments containing backup or restore.
Scenario: Admin task to update endpoint protection software (e.g., Microsoft Defender or CrowdStrike Falcon)
Filter/Exclusion: Exclude processes with parent process task scheduler or command-line arguments containing update, patch, or install.
Scenario: Legitimate use of PowerShell for script-based administration (e.g., Invoke-Command or Get-ChildItem)
Filter/Exclusion: Exclude processes with PowerShell.exe and command-line arguments containing script, admin, or runas.
Scenario: Regular log collection using Splunk or ELK Stack
Filter/Exclusion: Exclude processes with parent process splunkd or logstash and command-line arguments containing collect, forward, or index.
Scenario: System maintenance task using Windows Task Scheduler to run DISM or SFC
Filter/Exclusion: Exclude processes with parent process Task Scheduler and command-line arguments containing DISM, SFC, or scan.