The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 182[.]23[.]2[.]163:4048 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 182[.]23[.]2[.]163:4814 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 182[.]23[.]2[.]163:1230 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 64[.]89[.]160[.]198:8080 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 64[.]89[.]162[.]178:5902 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 191[.]107[.]87[.]183:5471 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 182[.]23[.]2[.]163:9800 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 159[.]69[.]59[.]93:4550 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 130[.]94[.]95[.]135:2404 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["64.89.162.178", "64.89.160.198", "191.107.87.183", "159.69.59.93", "182.23.2.163", "130.94.95.135"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.89.162.178", "64.89.160.198", "191.107.87.183", "159.69.59.93", "182.23.2.163", "130.94.95.135"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: An admin uses Remcos as part of a scheduled job to remotely manage endpoints.
Filter/Exclusion: Exclude processes where the parent process is a known administrative tool (e.g., task scheduler, schtasks.exe), or filter by user context (e.g., user = SYSTEM or user = admin).
Scenario: Security tool using Remcos for endpoint monitoring
Description: A security tool or endpoint detection and response (EDR) solution uses Remcos for monitoring or data collection.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Microsoft Defender, Windows Defender, Microsoft Monitoring Agent).
Scenario: IT admin using Remcos for patch management
Description: An IT admin deploys Remcos as part of a patch management or configuration update process.
Filter/Exclusion: Exclude processes where the command line includes known patching or configuration management parameters (e.g., --patch, --config, --update).
Scenario: System update using Remcos for remote deployment
Description: A system update or deployment task uses Remcos to push updates to multiple endpoints.
Filter/Exclusion: Exclude processes where the command line includes known update or deployment keywords (e.g., --deploy, --update, --patch), or filter by process name (e.g., remcos.exe with known update payloads).
Scenario: Legitimate remote access tool using Remcos
Description: A legitimate remote access tool (e.g., TeamViewer, AnyDesk, LogMeIn) uses Remcos as part of its internal infrastructure.
Filter/Exclusion: Exclude processes where the parent process is a known