The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]245[.]4[.]229:2404 | botnet_cc | 2026-04-20 | 75% |
| domain | somethingtapangelcominginourlifeforbless.duckdns.org | botnet_cc | 2026-04-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["172.245.4.229"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.245.4.229"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["somethingtapangelcominginourlifeforbless.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance or updates may trigger the rule if it includes a file or command that matches Remcos IOCs.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or files signed by Microsoft or known enterprise tools like DISM.exe, dism.exe, or wuauclt.exe.
Scenario: Admin Tool Execution
Description: An administrator may use tools like PsExec or PSTools to remotely execute commands or deploy scripts, which could inadvertently match Remcos IOCs.
Filter/Exclusion: Exclude processes launched by PsExec or PSTools and filter out commands that are known to be part of standard administrative workflows.
Scenario: Log Collection or Monitoring Tool
Description: A legitimate log collection tool such as Splunk, ELK Stack, or Graylog may include binaries or scripts that match Remcos IOCs during normal operation.
Filter/Exclusion: Exclude processes associated with log management tools and filter out files that are part of the tool’s known binaries or configuration files.
Scenario: Software Deployment via Group Policy
Description: A Group Policy Object (GPO) deployment that includes a script or executable may trigger the rule if the file matches Remcos IOCs.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or gpresult.exe, and filter out files that are part of standard software deployment packages.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate endpoint protection tool such as Microsoft Defender, Kaspersky, or Bitdefender may include components that match Remcos IOCs during a scan or update.
*Filter/Exclusion