The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence and exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 2 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | c2.u888ny.com | botnet_cc | 2026-05-21 | 75% |
| ip:port | 140[.]235[.]17[.]40:9958 | botnet_cc | 2026-05-20 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["140.235.17.40"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["140.235.17.40"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["c2.u888ny.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude files with the Task Scheduler or Microsoft in the file path, or filter by process.name containing schtasks.exe or taskhost.exe.
Scenario: Admin Tool for Remote Management
Description: An administrator uses a legitimate remote management tool (e.g., PsExec, WinRM, or Remote Desktop Services) that may have similar command-line arguments or network connections to Remcos.
Filter/Exclusion: Exclude processes with PsExec, msrdp, or winrm in the command line, or filter by process.name containing psexec.exe, winrm.exe, or mstsc.exe.
Scenario: Software Update or Patch Deployment
Description: A legitimate software update or patch deployment (e.g., using Group Policy, SCCM, or Chocolatey) may include files or scripts that match Remcos IOCs.
Filter/Exclusion: Exclude files with update, patch, or chocolatey in the file name, or filter by process.name containing gpupdate.exe, ccmexec.exe, or choco.exe.
Scenario: Log File Analysis or Forensic Tool Usage
Description: A security analyst uses a forensic tool (e.g., LogParser, Procmon, or Wireshark) that may generate log entries or network traffic resembling Remcos IOCs.
Filter/Exclusion: Exclude processes with logparser.exe, procmon.exe, or wireshark.exe in the process name, or filter by user field containing security analyst or