The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 80[.]253[.]249[.]67:2404 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 182[.]23[.]2[.]163:17001 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 138[.]9[.]118[.]222:8015 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 172[.]111[.]169[.]79:9702 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 196[.]251[.]107[.]114:24033 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 2[.]26[.]75[.]239:1971 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 192[.]177[.]111[.]89:7788 | botnet_cc | 2026-06-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["138.9.118.222", "80.253.249.67", "182.23.2.163", "2.26.75.239", "172.111.169.79", "196.251.107.114", "192.177.111.89"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.9.118.222", "80.253.249.67", "182.23.2.163", "2.26.75.239", "172.111.169.79", "196.251.107.114", "192.177.111.89"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system backup using Remcos
Description: A system administrator is using Remcos as part of a scheduled backup process to transfer data to a secure location.
Filter/Exclusion: Exclude processes initiated by the backup service account or those matching the backup job name (e.g., BackupJob-System).
Scenario: Scheduled task for log collection using Remcos
Description: An IT team uses Remcos to collect and aggregate logs from multiple servers into a centralized log management system.
Filter/Exclusion: Exclude processes associated with the log collection service or those running under the log management service account (e.g., LogCollectorSvc).
Scenario: Admin task to deploy software using Remcos
Description: An admin uses Remcos to distribute a legitimate software update to multiple endpoints across the network.
Filter/Exclusion: Exclude processes initiated by the patch management tool (e.g., PatchManager.exe) or those matching the deployment task name (e.g., UpdateDeployment-2024).
Scenario: Remote desktop session using Remcos
Description: A user is using Remcos to establish a remote desktop connection to a server for administrative tasks.
Filter/Exclusion: Exclude processes initiated by the Remote Desktop Services (e.g., mstsc.exe) or those running under the user account with remote access privileges.
Scenario: Network monitoring tool using Remcos for data transfer
Description: A network monitoring tool uses Remcos to transfer telemetry data to a centralized monitoring platform.
Filter/Exclusion: Exclude processes associated with the monitoring tool (e.g., NetMonitor.exe) or those matching the telemetry transfer job name (e.g., TelemetryTransfer-Net).