The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 5 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | oyine.duckdns.org | botnet_cc | 2026-06-21 | 75% |
| ip:port | 185[.]115[.]164[.]59:808 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 141[.]98[.]10[.]150:14641 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 103[.]11[.]41[.]10:431 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 103[.]11[.]41[.]10:51490 | botnet_cc | 2026-06-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["103.11.41.10", "185.115.164.59", "141.98.10.150"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.11.41.10", "185.115.164.59", "141.98.10.150"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["oyine.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Windows Update or Group Policy
Filter/Exclusion: Check for ProcessName containing wuauclt.exe or gupdate.exe, or filter by ParentProcessName matching known system services like svchost.exe or services.exe.
Scenario: Legitimate use of PowerShell for administrative tasks, such as user management or configuration changes
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine arguments that include -Command or -File with known administrative scripts or modules.
Scenario: Scheduled job running Task Scheduler to perform routine maintenance or backups
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or taskhost.exe, and check for ParentProcessName matching services.exe or task scheduler service.
Scenario: Use of Microsoft Endpoint Configuration Manager (MECM) or Intune for deploying software or configurations
Filter/Exclusion: Filter by ProcessName containing ccmexec.exe or msiexec.exe, and check for ParentProcessName related to MECM or Intune services.
Scenario: Legitimate use of Windows Defender or Microsoft Defender ATP for scanning or updating definitions
Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe or mpsvc.exe, and check for CommandLine arguments related to scanning or updating definitions.