The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 182[.]23[.]2[.]163:6088 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 155[.]103[.]71[.]115:13407 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 196[.]251[.]107[.]114:24029 | botnet_cc | 2026-05-30 | 100% |
| ip:port | 84[.]32[.]41[.]227:443 | botnet_cc | 2026-05-30 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["84.32.41.227", "196.251.107.114", "155.103.71.115", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["84.32.41.227", "196.251.107.114", "155.103.71.115", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: An admin uses Remcos as part of a legitimate remote management tool to monitor and manage endpoints.
Filter/Exclusion: Exclude processes initiated by a known remote management tool (e.g., PsExec, TeamViewer, or LogMeIn) or filter by user account (e.g., admin, svc_account).
Scenario: System update or patching using Remcos
Description: A system update or patching process leverages Remcos to deploy updates across the network.
Filter/Exclusion: Exclude processes associated with known patching tools (e.g., Windows Update, SCCM, or WSUS) or filter by process name (e.g., wuauclt.exe, mpcmdrun.exe).
Scenario: IT department using Remcos for remote support
Description: IT staff use Remcos to provide remote support to end-users, which is part of the organization’s standard support procedures.
Filter/Exclusion: Exclude processes initiated by IT support tools (e.g., Remote Desktop Services, LogMeIn, or AnyDesk) or filter by user group (e.g., IT_Support).
Scenario: Remcos used in a legitimate endpoint monitoring tool
Description: A security tool or endpoint monitoring solution uses Remcos as part of its monitoring capabilities.
Filter/Exclusion: Exclude processes associated with known monitoring tools (e.g., Splunk, SolarWinds, or Nagios) or filter by process parent (e.g., splunkd.exe, nagios.exe).
Scenario: Remcos used for legitimate backup or replication tasks
Description: A backup or replication job uses Remcos to transfer data between systems as part