The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Remcos infections before they lead to data exfiltration or lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]180[.]82[.]239:2404 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 5[.]101[.]86[.]97:6913 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 5[.]101[.]82[.]99:6031 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 5[.]101[.]86[.]11:2428 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 5[.]101[.]82[.]227:9521 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 46[.]151[.]182[.]33:9545 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 135[.]136[.]148[.]120:2003 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 130[.]49[.]214[.]74:62582 | botnet_cc | 2026-05-05 | 75% |
| ip:port | 209[.]99[.]187[.]44:2404 | botnet_cc | 2026-05-05 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["5.101.86.97", "5.101.82.227", "5.101.86.11", "46.151.182.33", "209.99.187.44", "135.136.148.120", "5.101.82.99", "5.180.82.239", "130.49.214.74"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.86.97", "5.101.82.227", "5.101.86.11", "46.151.182.33", "209.99.187.44", "135.136.148.120", "5.101.82.99", "5.180.82.239", "130.49.214.74"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: An IT administrator schedules a remote management task using Remcos to monitor system health or perform maintenance.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with Task Scheduler or schtasks.exe and associated with known admin tools like PsExec or PSTools.
Scenario: Security tool or endpoint protection using Remcos for remote access
Description: A security tool or endpoint protection software uses Remcos for remote access to manage or update devices.
Filter/Exclusion: Exclude processes launched by security tools like Microsoft Endpoint Protection, Bitdefender, or Kaspersky that are known to use Remcos for legitimate remote access.
Scenario: System update or patching using Remcos
Description: A system update or patching process uses Remcos to push updates to remote machines.
Filter/Exclusion: Exclude processes initiated by update management tools like SCCM, WSUS, or Microsoft Endpoint Manager that use Remcos for patch deployment.
Scenario: Remote desktop or remote administration using Remcos
Description: IT staff use Remcos as part of a remote desktop setup to manage remote systems.
Filter/Exclusion: Exclude processes initiated from Remote Desktop Services (mstsc.exe) or Remote Desktop Connection Manager (RDCMan.exe) with known admin credentials.
Scenario: Backup or sync tool using Remcos for file transfer
Description: A backup or sync tool uses Remcos to transfer files between systems during a scheduled backup.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Acronis, or SyncBack that use Remcos for file transfer operations.