The detection identifies potential RemcosRAT malware distribution through malicious URLs, indicating an adversary is attempting to compromise endpoints and establish persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections before they spread within the network.
IOC Summary
Threat: RemcosRAT Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://github.com/grere856-dot/vigilant-waffle/raw/refs/heads/main/loader.ps1 | online | malware_download | 2026-05-19 |
hxxps://raw.githubusercontent.com/grere856-dot/vigilant-waffle/refs/heads/main/loader.ps1 | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: RemcosRAT
let malicious_domains = dynamic(["github.com", "raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["github.com", "raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update download
Description: A system administrator downloads a RemcosRAT-related URL as part of a security tool update or patching process.
Filter/Exclusion: Check for process.name containing “update” or “patch” and process.user being a privileged admin account (e.g., root, admin, svc_account).
Scenario: Scheduled job for endpoint protection scan
Description: A scheduled job runs a security scan that temporarily downloads a RemcosRAT-related URL from a trusted source for signature updates.
Filter/Exclusion: Filter by process.name like “endpoint_protection” or “av_update” and check for urlhaus.tag not being “malicious” or “remcosrat”.
Scenario: Internal testing of a security tool
Description: A security team is testing a new detection rule and manually triggers a URL associated with RemcosRAT for validation purposes.
Filter/Exclusion: Use process.user to identify internal test accounts (e.g., test_user, security_team) and exclude URLs with urlhaus.source indicating internal testing environments.
Scenario: Admin task for log collection or monitoring
Description: An admin uses a tool like LogParser or Splunk to collect logs, which may involve downloading a RemcosRAT-related URL for configuration or monitoring purposes.
Filter/Exclusion: Filter by process.name like “logparser” or “splunk” and check for urlhaus.tag not matching “malicious” or “remcosrat”.
Scenario: False positive from a third-party integration
Description: A third-party integration (e.g., CrowdStrike, CrowdStrike Falcon, or Microsoft Defender) may report a URL as RemcosRAT due to a