The detection identifies potential Remcos malware activity through associated IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | newprocess28.duckdns.org | botnet_cc | 2026-04-23 | 75% |
| ip:port | 209[.]99[.]190[.]73:1995 | botnet_cc | 2026-04-23 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["209.99.190.73"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.99.190.73"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["newprocess28.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may include network traffic that matches Remcos IOCs due to similar communication patterns.
Filter/Exclusion: Check for process.name containing “Veeam” or “backup” and ensure the destination IP is a known internal backup server.
Scenario: Windows Update Task via Group Policy
Description: A Group Policy Object (GPO) may trigger a process that temporarily uses a network resource matching Remcos IOCs during Windows Update.
Filter/Exclusion: Filter by process.name containing “wuauclt” or “Windows Update” and verify the destination is a Microsoft update server.
Scenario: Remote Desktop Services (RDP) Session Initialization
Description: A legitimate RDP session may involve network traffic that coincides with Remcos IOCs due to similar outbound connections.
Filter/Exclusion: Check for process.name containing “mstsc” or “RDP” and validate the destination IP is a known internal or external RDP server.
Scenario: Log Management Tool Using Splunk Forwarder
Description: The Splunk Universal Forwarder may establish connections to a Splunk indexer that could be misidentified as Remcos IOCs.
Filter/Exclusion: Filter by process.name containing “splunkforwarder” and ensure the destination is a known Splunk indexer within the enterprise.
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A PowerShell script run by an admin for system monitoring may use network resources that match Remcos IOCs.
Filter/Exclusion: Check for process.name containing “powershell” and verify the script path is within a known admin tools directory (e.g., `C:\Windows\System3