The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 124[.]198[.]132[.]98:2414 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 124[.]198[.]132[.]98:2424 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 31[.]76[.]93[.]14:1337 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["124.198.132.98", "31.76.93.14"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.198.132.98", "31.76.93.14"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC due to similar file names or paths.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known maintenance name (e.g., SystemMaintenanceTask).
Scenario: Admin Using Remcos for Remote Access
Description: An authorized admin uses Remcos for legitimate remote access to manage systems.
Filter/Exclusion: Exclude processes started by users with elevated privileges (e.g., Administrator) or with a known admin tool (e.g., PsExec, Remote Desktop).
Scenario: Log Collection Tool Using Remcos IOC
Description: A log collection tool (e.g., Splunk, ELK Stack) uses a script that matches the Remcos IOC due to similar command-line arguments.
Filter/Exclusion: Exclude processes associated with log collection tools (e.g., splunkd.exe, logstash.exe) or processes running from known log directories.
Scenario: Software Deployment via Group Policy
Description: A software deployment package (e.g., Microsoft Endpoint Manager) includes a file that matches the Remcos IOC during a deployment.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or from known deployment directories (e.g., C:\Windows\Temp\Deployment).
Scenario: Network Monitoring Tool with Similar Behavior
Description: A network monitoring tool (e.g., Wireshark, tcpdump) uses a script that matches the Remcos IOC due to similar network activity.
Filter/Exclusion: Exclude processes associated with network monitoring tools (e.g., wireshark.exe, tcpdump.exe) or traffic from known monitoring interfaces.