The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 209[.]99[.]189[.]198:7004 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 209[.]99[.]189[.]198:7007 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 182[.]23[.]2[.]163:11954 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 172[.]245[.]195[.]233:14645 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 96[.]44[.]167[.]215:14644 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 96[.]44[.]167[.]215:14646 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 96[.]44[.]167[.]215:14648 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 94[.]103[.]1[.]223:3421 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 31[.]76[.]32[.]181:8455 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 31[.]76[.]87[.]218:9405 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 209[.]99[.]189[.]198:7005 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 209[.]99[.]189[.]198:7006 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["209.99.189.198", "182.23.2.163", "96.44.167.215", "94.103.1.223", "31.76.87.218", "172.245.195.233", "31.76.32.181"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.99.189.198", "182.23.2.163", "96.44.167.215", "94.103.1.223", "31.76.87.218", "172.245.195.233", "31.76.32.181"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that coincidentally matches one of the Remcos IOCs.
Filter/Exclusion: Check the process.name for choco.exe or chocolatey in the command line arguments. Exclude processes initiated by the Chocolatey package manager.
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that uses a tool like logparser.exe or PowerShell to collect logs, which may include a file path or command line that matches a Remcos IOC.
Filter/Exclusion: Filter by process.name for logparser.exe, powershell.exe with specific command-line arguments related to log collection, or check for known log collection tools in the process tree.
Scenario: Admin Task Using PsExec for Remote Execution
Description: An administrator uses PsExec to run a maintenance task on a remote machine, which may include a command line that matches a Remcos IOC.
Filter/Exclusion: Check for psexec.exe in the process tree and verify if the command line includes known admin tasks like net use, taskkill, or systeminfo.
Scenario: Legitimate Software Installation with Embedded Strings
Description: A legitimate software package (e.g., 7-Zip, WinRAR, or Notepad++) includes a string that matches one of the Remcos IOCs during installation or execution.
Filter/Exclusion: Filter by process.name for known legitimate software and exclude any processes that are part of a standard installation or update process.
Scenario: False Positive from Threat Intelligence Feed
Description: A false positive IOC from ThreatFox is triggered by a legitimate file or network activity that was incorrectly