The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]26[.]75[.]242:7312 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 192[.]52[.]242[.]39:1987 | botnet_cc | 2026-05-27 | 50% |
| ip:port | 5[.]101[.]82[.]8:48214 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 190[.]2[.]150[.]52:443 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 182[.]23[.]2[.]163:207 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 182[.]23[.]2[.]163:2487 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 182[.]23[.]2[.]163:2822 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 182[.]23[.]2[.]163:5600 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 124[.]198[.]132[.]98:2434 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["190.2.150.52", "182.23.2.163", "124.198.132.98", "192.52.242.39", "2.26.75.242", "5.101.82.8"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["190.2.150.52", "182.23.2.163", "124.198.132.98", "192.52.242.39", "2.26.75.242", "5.101.82.8"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Remcos as part of a software deployment tool
Filter/Exclusion: Exclude processes initiated by known deployment tools like SCCM or Microsoft Endpoint Manager (MEM)
Example Filter: process.parent_process_name != "Microsoft.Endpoint.Manager"
Scenario: Scheduled job running Remcos for log collection or monitoring
Filter/Exclusion: Exclude processes launched by task scheduler with known monitoring tools like Splunk or ELK Stack
Example Filter: process.parent_process_name != "schtasks.exe" OR process.command_line NOT LIKE "%splunk%"
Scenario: Admin using Remcos for remote management or remote desktop tasks
Filter/Exclusion: Exclude processes initiated by remote management tools like PowerShell Remoting or Microsoft Remote Desktop Services
Example Filter: process.parent_process_name != "powershell.exe" OR process.parent_process_name != "mstsc.exe"
Scenario: Legitimate use of Remcos in a security testing or red team simulation
Filter/Exclusion: Exclude processes with known test environments or sandbox identifiers
Example Filter: process.command_line NOT LIKE "%sandbox%" OR process.command_line NOT LIKE "%test_env%"
Scenario: Remcos used as a legitimate remote access tool by IT support teams
Filter/Exclusion: Exclude processes associated with IT support tools like TeamViewer or AnyDesk
Example Filter: process.parent_process_name != "TeamViewer.exe" OR process.parent_process_name != "AnyDesk.exe"