ThreatFox: Remcos IOCs

Hunt Hypothesis

The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.

IOC Summary

Malware Family: Remcos Total IOCs: 13 IOC Types: ip:port, domain

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["217.60.195.194", "103.11.41.19", "107.173.9.99", "5.101.86.23", "46.161.0.48", "103.11.41.10", "83.142.209.250", "185.38.142.229", "192.236.217.70"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["217.60.195.194", "103.11.41.19", "107.173.9.99", "5.101.86.23", "46.161.0.48", "103.11.41.10", "83.142.209.250", "185.38.142.229", "192.236.217.70"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["ruffyayeaye.ddns.net", "animal342.duckdns.org", "animal342bk.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

References

• ThreatFox — Remcos

False Positive Guidance

• Scenario: Legitimate Software Update via Chocolatey
  Description: A system administrator uses Chocolatey to install a legitimate software update that coincidentally matches one of the Remcos IOCs.
  Filter/Exclusion: Check the Process-Name field for choco or chocolatey.exe, and filter by Process-User for known admin accounts.

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task runs a legitimate maintenance script (e.g., PsExec or Task Scheduler) that uses a command or file path matching a Remcos IOC.
  Filter/Exclusion: Filter by Process-Name for schtasks.exe or taskhost.exe, and check for Command-Line containing valid maintenance commands.

• Scenario: Admin-Initiated Remote Execution
  Description: An administrator uses PsExec to remotely execute a script or tool that is flagged by the Remcos detection rule.
  Filter/Exclusion: Filter by Process-Name for psexec.exe, and check the User-Principal-Name field for known admin accounts.

• Scenario: Log Collection via Filebeat or Fluentd
  Description: A log aggregation tool like Filebeat or Fluentd is configured to collect logs from a system that includes a file or path matching a Remcos IOC.
  Filter/Exclusion: Filter by Process-Name for filebeat or fluentd, and check the File-Path for known log directories.

• Scenario: Antivirus or EDR Tool Scanning
  Description: An endpoint protection tool (e.g., CrowdStrike, SentinelOne) performs a scan and generates IOCs that match the Remcos rule.
  Filter/Exclusion: Filter by Process-Name for the EDR