The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]9[.]223[.]13:8015 | botnet_cc | 2026-05-09 | 75% |
| ip:port | 138[.]9[.]41[.]254:8015 | botnet_cc | 2026-05-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["138.9.41.254", "138.9.223.13"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.9.41.254", "138.9.223.13"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using Remcos
Description: A backup tool like Veeam or Commvault may use Remcos for remote management or data transfer.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known backup tool names or paths (e.g., C:\Program Files\Veeam\Backup\*).
Scenario: Admin using Remcos for remote system management
Description: System administrators may use Remcos for remote control tasks, such as remote desktop sessions or PowerShell remoting.
Filter/Exclusion: Exclude processes launched from known admin tools or with user rights (e.g., runas or psexec commands).
Scenario: Legitimate software update or patching process
Description: A patching tool like Microsoft Update or WSUS might use Remcos for remote execution of updates.
Filter/Exclusion: Exclude processes associated with known patching tools or update services (e.g., C:\Windows\System32\wuauclt.exe).
Scenario: Remote PowerShell execution via Remcos
Description: IT teams may use PowerShell remoting or WinRM to execute commands on remote systems, which could be logged as Remcos activity.
Filter/Exclusion: Exclude processes with powershell.exe or winrm in the command line, especially when initiated by known IT management tools.
Scenario: Legitimate endpoint monitoring tool using Remcos
Description: Tools like Splunk Enterprise Security or Microsoft Defender for Endpoint may use Remcos for telemetry or remote monitoring.
Filter/Exclusion: Exclude processes with known monitoring tool signatures or paths (e.g., C:\Program Files\Splunk\* or `