The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early in the attack lifecycle.
IOC Summary
Malware Family: Remcos Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]92[.]1[.]175:5220 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 203[.]202[.]232[.]22:3131 | botnet_cc | 2026-05-13 | 75% |
| ip:port | 103[.]83[.]87[.]8:1515 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 2[.]27[.]17[.]179:6644 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["103.83.87.8", "45.92.1.175", "203.202.232.22", "2.27.17.179"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.83.87.8", "45.92.1.175", "203.202.232.22", "2.27.17.179"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" OR process.parent.name != "task scheduler"
Scenario: Admin Tool for Remote Management
Description: An admin uses a tool like PsExec or WinRM to remotely execute a command that matches a Remcos IOC (e.g., a legitimate remote execution script).
Filter/Exclusion: process.name != "psexec.exe" OR process.name != "winrm.exe"
Scenario: Log Collection Tool with Base64 Encoding
Description: A log collection tool like LogParser or PowerShell uses base64 encoding in its logs, which may match a Remcos IOC pattern.
Filter/Exclusion: process.name != "logparser.exe" OR process.name != "powershell.exe" AND process.command_line contains "base64"
Scenario: Software Update or Patching Job
Description: A patching tool like WSUS or SCCM executes a script that includes a Remcos IOC (e.g., a script used for patch deployment).
Filter/Exclusion: process.name != "wsus.exe" OR process.name != "ccmexec.exe"
Scenario: Backup Script with Encrypted Data
Description: A backup script uses encryption or obfuscation techniques that resemble Remcos IOCs (e.g., encrypted credentials or base64 strings).
Filter/Exclusion: process.name != "backup.exe" OR process.command_line contains "encrypt" OR process.command_line contains "base64"