The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]76[.]87[.]112:7716 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 5[.]230[.]69[.]118:8930 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 182[.]23[.]2[.]163:26972 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 172[.]245[.]195[.]233:14642 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 144[.]31[.]236[.]224:4509 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["182.23.2.163", "5.230.69.118", "31.76.87.112", "172.245.195.233", "144.31.236.224"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["182.23.2.163", "5.230.69.118", "31.76.87.112", "172.245.195.233", "144.31.236.224"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using Remcos
Description: A system administrator uses Remcos as part of a scheduled backup process to copy critical data to a secure location.
Filter/Exclusion: Exclude processes initiated by the system backup service (e.g., BackupService.exe) or scheduled tasks with names like DailySystemBackup.
Scenario: Remote Management Tool Using Remcos
Description: An IT admin uses Remcos as part of a remote management tool (e.g., Microsoft System Center) to monitor and manage remote endpoints.
Filter/Exclusion: Exclude processes associated with known remote management tools (e.g., SCOMAgent.exe, SCOMManagementPack) or network traffic from trusted management IPs.
Scenario: Scheduled Job for Log Collection
Description: A scheduled job runs Remcos to collect and forward system logs to a centralized log management system (e.g., Splunk, ELK).
Filter/Exclusion: Exclude processes with job names like LogCollectorJob or those running under a service account with restricted permissions (e.g., LogCollectorService).
Scenario: Software Deployment Using Remcos
Description: A deployment tool (e.g., Microsoft Endpoint Manager, SCCM) uses Remcos to push software updates to endpoints.
Filter/Exclusion: Exclude processes associated with deployment tools (e.g., MPStandalone.exe, CMSetup.exe) or those running under a deployment service account.
Scenario: User-Initiated File Transfer
Description: A user uses Remcos to transfer files between internal systems (e.g., for collaboration or data sharing).
Filter/Exclusion: Exclude processes initiated by user accounts with known legitimate file transfer tasks (e.g., FileTransferTool.exe) or those running during business hours with user context.