The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]151[.]182[.]76:8080 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 138[.]9[.]254[.]121:8015 | botnet_cc | 2026-05-22 | 75% |
| domain | sls.in.net | botnet_cc | 2026-05-22 | 75% |
| ip:port | 193[.]29[.]13[.]23:5758 | botnet_cc | 2026-05-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["138.9.254.121", "46.151.182.76", "193.29.13.23"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.9.254.121", "46.151.182.76", "193.29.13.23"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["sls.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "task scheduler"
Scenario: Admin Performing Remote Desktop Session
Description: An admin uses Remote Desktop to connect to a server and the connection tool matches a Remcos IOC (e.g., mstsc.exe or related network traffic).
Filter/Exclusion: process.name != "mstsc.exe" or user.account != "admin_account"
Scenario: Antivirus Scan Using ClamAV
Description: A ClamAV antivirus scan triggers a false positive due to a signature overlap with Remcos IOCs.
Filter/Exclusion: process.name != "clamscan.exe" or process.parent.name != "clamav"
Scenario: Log Management Tool Using Filebeat
Description: Filebeat, a log shipping tool, is configured to ship logs to Elasticsearch and matches a Remcos IOC in its configuration or logs.
Filter/Exclusion: process.name != "filebeat" or process.parent.name != "elasticsearch"
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job runs a backup script that includes a file or command line argument matching a Remcos IOC.
Filter/Exclusion: process.name != "sqlservr.exe" or process.parent.name != "sqlagent"