The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 11 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 69[.]164[.]245[.]165:8930 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 31[.]76[.]32[.]201:1377 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 31[.]76[.]32[.]230:1499 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 182[.]23[.]2[.]163:59678 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 172[.]245[.]195[.]233:14641 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 31[.]76[.]32[.]161:9405 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 198[.]23[.]177[.]222:14641 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:7649 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 172[.]245[.]195[.]233:14648 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 107[.]172[.]44[.]141:45699 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 101[.]99[.]92[.]220:8264 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["101.99.92.220", "69.164.245.165", "31.76.32.230", "198.23.177.222", "31.76.32.161", "107.172.44.141", "182.23.2.163", "31.76.32.201", "172.245.195.233"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["101.99.92.220", "69.164.245.165", "31.76.32.230", "198.23.177.222", "31.76.32.161", "107.172.44.141", "182.23.2.163", "31.76.32.201", "172.245.195.233"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Remote Management Tool Usage
Description: An admin is using Remcos (a legitimate remote management tool) to remotely manage endpoints.
Filter/Exclusion: Exclude processes initiated by known admin accounts (e.g., Administrator, root) or processes that match the signature of the legitimate Remcos tool.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job runs a script that includes a tool with similar IOCs to Remcos, such as PowerShell remoting or PsExec.
Filter/Exclusion: Exclude processes that match the execution context of scheduled tasks (e.g., schtasks.exe, Task Scheduler), or filter by command-line arguments that indicate legitimate maintenance.
Scenario: Software Deployment via Group Policy
Description: A system administrator deploys a legitimate application using Group Policy that includes a file or registry key matching Remcos IOCs.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or Group Policy Client services, and filter by file paths common to enterprise software deployment.
Scenario: Log Collection via SIEM Tools
Description: A SIEM tool like Splunk or ELK Stack is configured to collect logs from remote systems, and the collection process uses a tool with similar IOCs.
Filter/Exclusion: Exclude processes associated with SIEM tools (e.g., splunkd.exe, logstash.exe) or filter by network traffic patterns typical of log collection.
Scenario: Antivirus Quarantine Process
Description: An antivirus tool, such as Kaspersky or Bitdefender, quarantines a file that matches Remcos IOCs during a scan.
Filter/Exclusion: Exclude processes associated with antivirus tools (e.g