The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access Trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 10 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 182[.]23[.]2[.]163:49002 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 155[.]103[.]70[.]198:13408 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 23[.]95[.]117[.]252:3001 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 209[.]54[.]102[.]152:3001 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 102[.]220[.]160[.]66:2404 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 209[.]54[.]101[.]187:2404 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 64[.]89[.]160[.]69:8080 | botnet_cc | 2026-06-04 | 75% |
| domain | surveillance[.]1qq.cam | botnet_cc | 2026-06-04 | 75% |
| ip:port | 64[.]89[.]160[.]67:9090 | botnet_cc | 2026-06-04 | 75% |
| domain | jempp912.duckdns.org | botnet_cc | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["102.220.160.66", "209.54.101.187", "182.23.2.163", "64.89.160.67", "64.89.160.69", "23.95.117.252", "209.54.102.152", "155.103.70.198"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["102.220.160.66", "209.54.101.187", "182.23.2.163", "64.89.160.67", "64.89.160.69", "23.95.117.252", "209.54.102.152", "155.103.70.198"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["surveillance.1qq.cam", "jempp912.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Using Remcos
Description: A system administrator uses Remcos to perform scheduled backups of critical systems.
Filter/Exclusion: Exclude processes initiated by the system backup scheduler (e.g., schtasks.exe or task scheduler task names containing “backup”).
Scenario: Admin Task to Monitor System Resources
Description: An admin uses Remcos to monitor system performance and resource usage as part of routine maintenance.
Filter/Exclusion: Exclude processes running under the Administrators group or with a command line containing monitor or resource.
Scenario: Scheduled Job for Log Collection
Description: A scheduled job uses Remcos to collect and aggregate logs from multiple servers for centralized logging.
Filter/Exclusion: Exclude processes with command lines containing log or collect, or associated with log management tools like Splunk or ELK.
Scenario: Legitimate Remote Management Tool
Description: A remote management tool (e.g., PsExec, PSTools, or Remote Desktop Services) uses Remcos for remote execution or file transfer.
Filter/Exclusion: Exclude processes with parent processes from known remote management tools or with command lines containing psexec, remotefile, or transfer.
Scenario: Software Deployment Using Remcos
Description: IT staff deploys software updates or patches using Remcos as part of a deployment automation script.
Filter/Exclusion: Exclude processes with command lines containing deploy, update, or patch, or associated with deployment tools like SCCM or Chocolatey.