The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]17[.]192[.]61:2404 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 155[.]103[.]71[.]135:56789 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 91[.]92[.]41[.]94:2404 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 199[.]91[.]220[.]199:3156 | botnet_cc | 2026-05-28 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["85.17.192.61", "91.92.41.94", "155.103.71.135", "199.91.220.199"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.17.192.61", "91.92.41.94", "155.103.71.135", "199.91.220.199"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC due to similar file names or paths.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses a tool like DISM or Disk Cleanup that temporarily matches a Remcos IOC due to similar command-line arguments.
Filter/Exclusion: process.name != "dism.exe" or process.name != "cleanmgr.exe"
Scenario: Legitimate Software Installation
Description: A legitimate software package (e.g., 7-Zip, WinRAR, or VLC) is installed, and its installation script or temporary files match a Remcos IOC.
Filter/Exclusion: process.name != "7z.exe" or process.name != "vlc.exe"
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring or log analysis (e.g., PowerShell.exe) runs a command that matches a Remcos IOC.
Filter/Exclusion: process.name != "powershell.exe" or script.name != "SystemMonitoring.ps1"
Scenario: Antivirus Quarantine Operation
Description: An antivirus tool (e.g., Malwarebytes, Bitdefender) quarantines a file that matches a Remcos IOC due to false positive detection.
Filter/Exclusion: process.name != "mbam.exe" or process.name != "bdtray.exe"