The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Remcos infections before they lead to data exfiltration or lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 6 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]26[.]75[.]248:2428 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 2[.]26[.]75[.]241:4509 | botnet_cc | 2026-06-09 | 75% |
| ip:port | 182[.]23[.]2[.]163:10616 | botnet_cc | 2026-06-09 | 75% |
| domain | breakthroughgee.ddns.net | botnet_cc | 2026-06-09 | 75% |
| domain | t0loka.live | botnet_cc | 2026-06-09 | 100% |
| ip:port | 192[.]3[.]176[.]232:4099 | botnet_cc | 2026-06-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["2.26.75.248", "192.3.176.232", "2.26.75.241", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.26.75.248", "192.3.176.232", "2.26.75.241", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["breakthroughgee.ddns.net", "t0loka.live"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: A system administrator schedules a task using Remcos to remotely manage endpoints.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with the Run action in the Task Scheduler.
Scenario: IT team using Remcos for remote desktop access
Description: IT staff uses Remcos as part of their remote desktop solution to access internal systems.
Filter/Exclusion: Exclude processes launched from known IT tools like mstsc.exe or Remote Desktop Connection.
Scenario: Software update process using Remcos for payload delivery
Description: A legitimate software update mechanism uses Remcos to deliver payloads to endpoints.
Filter/Exclusion: Exclude processes associated with known update tools like Windows Update or WSUS.
Scenario: Admin task using Remcos for remote system monitoring
Description: A system administrator uses Remcos to monitor system performance across the network.
Filter/Exclusion: Exclude processes initiated by taskmgr.exe or PsExec with administrative privileges.
Scenario: Internal tool using Remcos for secure remote access
Description: A company-specific internal tool uses Remcos for secure remote access to internal systems.
Filter/Exclusion: Exclude processes that match the internal tool’s signature or are launched from a known internal IP range.