The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]101[.]81[.]81:9323 | botnet_cc | 2026-05-07 | 75% |
| ip:port | 203[.]159[.]90[.]139:2404 | botnet_cc | 2026-05-07 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["5.101.81.81", "203.159.90.139"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.81.81", "203.159.90.139"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC due to similar file names or paths.
Filter/Exclusion: process.parent_process_name != "Task Scheduler" or file.path != "C:\\Windows\\Tasks\\*"
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PsExec or WMIC to remotely execute a script that matches the Remcos IOC.
Filter/Exclusion: process.name != "PsExec.exe" or process.name != "WMIC.exe"
Scenario: Log File Analysis
Description: A security tool like LogParser or ELK Stack is used to analyze logs, and the log file path matches a Remcos IOC.
Filter/Exclusion: file.path != "C:\\ProgramData\\*" or file.path != "C:\\Logs\\*"
Scenario: Software Update Job
Description: A Windows Update or third-party patching tool (e.g., Microsoft Update, Patch Manager) executes a script that matches the Remcos IOC.
Filter/Exclusion: process.name != "wusa.exe" or process.name != "patchmgr.exe"
Scenario: Backup Tool Execution
Description: A backup tool like Veeam, Acronis, or Commvault runs a script that has a file name or path matching the Remcos IOC.
Filter/Exclusion: process.name != "VeeamBackup.exe" or process.name != "AcronisTrueImage.exe"