The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]26[.]75[.]239:1971 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 192[.]177[.]111[.]89:7788 | botnet_cc | 2026-06-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["2.26.75.239", "192.177.111.89"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.26.75.239", "192.177.111.89"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Update or Patching Tool Execution
Description: A legitimate system update tool (e.g., Microsoft Update, Windows Server Update Services) may execute scripts or binaries that match Remcos IOCs during a patching process.
Filter/Exclusion: Check the process name and command line for known update tools (e.g., wusa.exe, msiexec.exe) and exclude any execution related to patching or system updates.
Scenario: Scheduled Job for Log Collection or Monitoring
Description: A scheduled job (e.g., using Task Scheduler or cron) might run a script that uses tools like logparser.exe or wbemtest.exe, which could be flagged as Remcos IOCs.
Filter/Exclusion: Exclude processes associated with log collection tools or monitoring utilities (e.g., logparser.exe, wbemtest.exe) and filter by scheduled job names or paths in the Windows Task Scheduler.
Scenario: Admin Task Involving PowerShell or CMD Execution
Description: An administrator might run a PowerShell or CMD script that uses tools like certutil.exe or reg.exe, which could be mistakenly identified as Remcos IOCs.
Filter/Exclusion: Exclude processes initiated by administrators using powershell.exe or cmd.exe with known administrative tasks (e.g., certificate management, registry edits).
Scenario: Antivirus or EDR Tool Scanning Activity
Description: Antivirus or EDR tools (e.g., CrowdStrike, Bitdefender) may execute binaries like mpengine.exe or falcon.exe that could be flagged as Remcos IOCs during a scan.
Filter/Exclusion: Exclude processes associated with known security tools (e.g., mpengine.exe, falcon.exe, bitdefender.exe) and filter by process parent or