The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]195[.]176:2404 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 2[.]27[.]5[.]37:8912 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 2[.]27[.]5[.]42:6448 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 155[.]103[.]71[.]115:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 141[.]98[.]10[.]150:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 107[.]172[.]238[.]13:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 173[.]231[.]188[.]244:14641 | botnet_cc | 2026-06-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["2.27.5.42", "141.98.10.150", "2.27.5.37", "217.60.195.176", "173.231.188.244", "155.103.71.115", "107.172.238.13"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.27.5.42", "141.98.10.150", "2.27.5.37", "217.60.195.176", "173.231.188.244", "155.103.71.115", "107.172.238.13"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Admin Tool Usage
Description: An administrator is using a legitimate tool like PsExec or PSTools to remotely execute a script that matches a Remcos IOC.
Filter/Exclusion: process.name == "PsExec.exe" or process.parent_process_name contains "explorer.exe"
Scenario: Log Management Tool Execution
Description: A log management tool like Splunk or ELK Stack is executing a script that includes a Remcos IOC due to a misconfigured rule or template.
Filter/Exclusion: process.name contains "splunkd.exe" or process.name contains "logstash"
Scenario: Software Update or Patching Job
Description: A patching tool like Microsoft Update or WSUS is executing a script that matches a Remcos IOC due to a false positive in the update package.
Filter/Exclusion: process.name contains "wuauclt.exe" or process.name contains "wuauserv"
Scenario: Custom Script for Data Exfiltration (Legitimate Use Case)
Description: A custom script written by an internal security team for data exfiltration testing (e.g., using curl or Invoke-WebRequest) may resemble Remcos IOCs.
Filter/Exclusion: process.user contains "securityteam" or process.command_line contains "test-exfil"