The ThreatFox: Remus IOCs rule detects potential adversary activity linked to the Remus malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise sensitive data and system integrity.
IOC Summary
Malware Family: Remus Total IOCs: 2 IOC Types: domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | nostrendezvous.com | botnet_cc | 2026-06-12 | 100% |
| url | hxxp://nostrendezvous.com:5789 | botnet_cc | 2026-06-12 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remus
let malicious_domains = dynamic(["nostrendezvous.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Remus
let malicious_urls = dynamic(["http://nostrendezvous.com:5789"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remus IOC pattern due to similar command-line syntax.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with a known name like SystemMaintenanceTask.
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses a tool like Disk Cleanup or cleanmgr.exe which may trigger a false positive due to similar file or registry activity.
Filter/Exclusion: Exclude processes with cleanmgr.exe or diskcleanup.exe in the process name.
Scenario: Log Collection and Analysis Tool (e.g., Splunk, ELK)
Description: A log collection tool like Splunk or a custom script using logrotate may generate files or commands that resemble Remus IOCs.
Filter/Exclusion: Exclude processes related to splunkd.exe, logrotate, or any known log management tool.
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update or WSUS may execute scripts or use temporary files that match the Remus IOC pattern.
Filter/Exclusion: Exclude processes with wuauclt.exe, wsusutil.exe, or any known patching tool identifiers.
Scenario: Backup Job Execution (e.g., Veeam, Acronis)
Description: A backup job using tools like Veeam or Acronis may generate temporary files or use command-line arguments that trigger the Remus detection.
Filter/Exclusion: Exclude processes with veeam.exe, acronis, or any known backup tool identifiers.