The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 95[.]211[.]165[.]137:2404 | botnet_cc | 2026-04-21 | 75% |
| ip:port | 69[.]67[.]172[.]210:33605 | botnet_cc | 2026-04-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["69.67.172.210", "95.211.165.137"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["69.67.172.210", "95.211.165.137"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC due to similar command-line syntax.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"
Scenario: Admin Using PowerShell for Remote Management
Description: An administrator uses PowerShell to remotely manage a system, and the command-line arguments resemble Remcos IOC patterns.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "winrm.exe"
Scenario: Legitimate Software Deployment via SCCM
Description: A software deployment via System Center Configuration Manager (SCCM) includes a package that matches Remcos IOCs due to similar file names or paths.
Filter/Exclusion: process.name != "cmstp.exe" or process.parent.name != "ccmexec.exe"
Scenario: User Running a Legitimate Malware Analysis Tool
Description: A security analyst runs a legitimate malware analysis tool (e.g., Cuckoo Sandbox) that has a file or command-line argument matching Remcos IOCs.
Filter/Exclusion: process.name != "cuckoo.exe" or process.parent.name != "sandboxd.exe"
Scenario: Backup Job Using Robocopy with Similar Command-Line Arguments
Description: A backup job using robocopy has command-line arguments that resemble Remcos IOC patterns due to similar syntax.
Filter/Exclusion: process.name != "robocopy.exe" or process.parent.name != "schtasks.exe"