The hypothesis is that the detected URLs are associated with Remcos, a remote access Trojan, and are likely used to exfiltrate data or establish command and control. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration activities.
IOC Summary
Threat: remcos Total URLs: 3 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://raw.githubusercontent.com/solid-23/ghy/refs/heads/main/kkArdSd.txt | offline | malware_download | 2026-05-27 |
hxxps://raw.githubusercontent.com/slaytonms/ab/refs/heads/main/AdkkSfA.txt | online | malware_download | 2026-05-27 |
hxxps://raw.githubusercontent.com/solid-23/kl/refs/heads/main/mkFpIik.txt | offline | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: remcos
let malicious_domains = dynamic(["raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a security tool by downloading a known benign URL from the URLhaus database for analysis.
Filter/Exclusion: Exclude URLs that match the urlhaus.org domain or any URL containing the string urlhaus in the URL field.
Scenario: A scheduled job runs to fetch updates from a third-party threat intelligence feed, which includes URLs tagged as remcos.
Filter/Exclusion: Exclude URLs that originate from known threat intelligence feeds (e.g., threatintel.example.com) or have a source IP in a trusted list.
Scenario: A user is accessing a legitimate internal tool that uses a URL similar to a remcos C2 URL for internal monitoring purposes.
Filter/Exclusion: Exclude URLs that match internal domains (e.g., internal.monitoring.example.com) or have a user-agent indicating internal tool usage.
Scenario: A security analyst is using a sandboxing tool like Cuckoo Sandbox to analyze a suspicious file, which generates a temporary URL for communication with the sandbox.
Filter/Exclusion: Exclude URLs that are associated with sandboxing tools (e.g., sandbox.example.com) or have a request method of POST with a known sandbox payload.
Scenario: A backup or sync job (e.g., using tools like rsync or Syncthing) generates temporary URLs for file transfers, which may resemble malicious URLs.
Filter/Exclusion: Exclude URLs that are part of known backup/sync tools or have a path containing .tmp or .backup extensions.