The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | 1sun.duckdns.org | botnet_cc | 2026-06-02 | 75% |
| ip:port | 182[.]23[.]2[.]163:9060 | botnet_cc | 2026-06-02 | 75% |
| ip:port | 102[.]220[.]160[.]121:2404 | botnet_cc | 2026-06-02 | 75% |
| ip:port | 182[.]23[.]2[.]163:11166 | botnet_cc | 2026-06-01 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["102.220.160.121", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["102.220.160.121", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["1sun.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.name == "schtasks.exe"
Scenario: Admin Tool for Remote Management
Description: An administrator uses a tool like PsExec or Remote Desktop Services to execute a command that matches a Remcos IOC.
Filter/Exclusion: process.name == "psexec.exe" or process.name == "rdpclip.exe"
Scenario: Log Collection Agent
Description: A log collection tool like Splunk Universal Forwarder or ELK Stack is configured to execute a script that matches a Remcos IOC.
Filter/Exclusion: process.name == "splunkforwarder.exe" or process.name == "logstash.exe"
Scenario: Software Update Job
Description: A Windows Update or third-party patching tool (e.g., Microsoft Endpoint Manager, Altiris, or WSUS) executes a script that matches a Remcos IOC.
Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "msiexec.exe"
Scenario: Backup Script Execution
Description: A backup script (e.g., using Veeam, Acronis, or VSS) runs a command that matches a Remcos IOC.
Filter/Exclusion: process.name == "veeam.exe" or process.name == "vssadmin.exe"