The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access Trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 9 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 141[.]98[.]10[.]162:2404 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 107[.]189[.]23[.]49:2404 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 172[.]111[.]232[.]233:8201 | botnet_cc | 2026-03-19 | 100% |
| domain | www.crysaltimedubai.com | botnet_cc | 2026-03-18 | 100% |
| domain | www.crysaltimedubaibackup1.com | botnet_cc | 2026-03-18 | 100% |
| domain | www.crysaltimedubaibackup2.com | botnet_cc | 2026-03-18 | 100% |
| ip:port | 45[.]74[.]48[.]103:3421 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 147[.]45[.]179[.]125:34610 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 45[.]59[.]163[.]56:4550 | botnet_cc | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["107.189.23.49", "45.59.163.56", "147.45.179.125", "172.111.232.233", "45.74.48.103", "141.98.10.162"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["107.189.23.49", "45.59.163.56", "147.45.179.125", "172.111.232.233", "45.74.48.103", "141.98.10.162"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["www.crysaltimedubai.com", "www.crysaltimedubaibackup1.com", "www.crysaltimedubaibackup2.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Remcos as a Dependency
Description: A system administrator schedules a job that uses Remcos as part of a legitimate toolchain (e.g., for remote management or asset discovery).
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line contains "scheduled task"
Scenario: Security Tool or SIEM Agent Using Remcos for Monitoring
Description: A security tool or SIEM agent (e.g., Splunk, ELK, or Microsoft Defender for Endpoint) may include Remcos as part of its monitoring or data collection process.
Filter/Exclusion: process.name contains "splunk" OR process.name contains "elasticsearch" OR process.name contains "defender"
Scenario: System Update or Patching Process Involving Remcos
Description: A system update or patching process (e.g., using Microsoft Update or a third-party patch management tool) may trigger Remcos as part of the deployment mechanism.
Filter/Exclusion: process.command_line contains "wuauclt.exe" OR process.command_line contains "patchmgr.exe"
Scenario: Legitimate Remote Management Tool Using Remcos
Description: A remote management tool (e.g., Microsoft Remote Desktop, TeamViewer, or AnyDesk) may use Remcos as part of its communication or session management.
Filter/Exclusion: process.name contains "mstsc.exe" OR process.name contains "teamviewer" OR process.name contains "anydesk"
Scenario: Admin Task for Log Collection or Monitoring
Description: An administrator may run a script or tool (e.g., PowerShell, LogParser, or Event Viewer) that uses Remcos for log collection or monitoring purposes.
Filter/Exclusion: `process.user