The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 96[.]44[.]167[.]215:14649 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 5[.]101[.]82[.]60:27015 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 209[.]54[.]102[.]152:14645 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 192[.]3[.]136[.]254:14648 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 182[.]23[.]2[.]163:7024 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 192[.]210[.]186[.]212:5544 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 192[.]210[.]186[.]212:5656 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 192[.]210[.]186[.]212:1343 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 192[.]210[.]186[.]212:4545 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 31[.]77[.]189[.]2:6064 | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["5.101.82.60", "31.77.189.2", "192.210.186.212", "192.3.136.254", "209.54.102.152", "96.44.167.215", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.82.60", "31.77.189.2", "192.210.186.212", "192.3.136.254", "209.54.102.152", "96.44.167.215", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: An admin uses Remcos as part of a legitimate remote management tool to monitor and manage endpoints.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate command-line arguments or parent processes like schtasks.exe or task scheduler.
Scenario: Security tool or SIEM integration using Remcos for data collection
Description: A security tool or SIEM system uses Remcos to collect logs or system metrics from endpoints.
Filter/Exclusion: Exclude processes with parent processes like splunkd.exe, logstash.exe, or elasticsearch.exe, or those running under a known security tool service account.
Scenario: System update or patching process using Remcos
Description: A system update or patching tool leverages Remcos to communicate with a central management server.
Filter/Exclusion: Exclude processes with parent processes like wsusutil.exe, msiexec.exe, or patch.exe, or those running during scheduled update windows.
Scenario: Admin using Remcos for remote troubleshooting
Description: An admin uses Remcos to remotely troubleshoot a user’s machine, such as checking system performance or resolving connectivity issues.
Filter/Exclusion: Exclude processes initiated by remote desktop sessions (e.g., mstsc.exe) or with user accounts in the Administrators group and known admin IP ranges.
Scenario: False positive from a third-party tool with embedded Remcos components
Description: A third-party application or tool (e.g., a backup or monitoring tool) includes Remcos as part of its internal components for remote communication.
Filter/Exclusion: Exclude processes with parent processes like backup.exe, monitor.exe, or third-party-tool.exe, or those running