The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]27[.]5[.]37:8912 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 2[.]27[.]5[.]42:6448 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 155[.]103[.]71[.]115:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 141[.]98[.]10[.]150:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 107[.]172[.]238[.]13:14646 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 173[.]231[.]188[.]244:14641 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 78[.]108[.]56[.]64:9405 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 78[.]108[.]57[.]24:8912 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 194[.]116[.]236[.]239:4068 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 185[.]158[.]249[.]112:443 | botnet_cc | 2026-06-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["78.108.56.64", "107.172.238.13", "2.27.5.37", "185.158.249.112", "78.108.57.24", "2.27.5.42", "141.98.10.150", "194.116.236.239", "155.103.71.115", "173.231.188.244"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["78.108.56.64", "107.172.238.13", "2.27.5.37", "185.158.249.112", "78.108.57.24", "2.27.5.42", "141.98.10.150", "194.116.236.239", "155.103.71.115", "173.231.188.244"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Job Using Remcos
Description: A scheduled backup job uses Remcos as part of a custom script or tool for data preservation.
Filter/Exclusion: Exclude processes initiated by a known backup tool (e.g., Veeam, Acronis, or rsync) or filter by process name like backup_script.sh or backup_job.exe.
Scenario: Admin Task to Monitor System Activity with Remcos
Description: An administrator uses Remcos as part of a monitoring tool to track system events or network traffic.
Filter/Exclusion: Exclude processes running under a specific admin account (e.g., admin_user) or filter by process name like monitor_tool.exe or sysmon.exe.
Scenario: Legitimate Remote Management Tool Using Remcos
Description: A remote management tool (e.g., TeamViewer, AnyDesk, or LogMeIn) uses Remcos for secure remote access.
Filter/Exclusion: Exclude processes associated with known remote access tools (e.g., teamviewer.exe, anydesk.exe) or filter by user context (e.g., remote_admin).
Scenario: Software Deployment Using Remcos as a Deployment Agent
Description: An enterprise uses Remcos as part of a software deployment tool (e.g., Chocolatey, PDQ Deploy, or SCCM) to push updates.
Filter/Exclusion: Exclude processes initiated by a known deployment tool (e.g., choco.exe, pdqdeploymgr.exe) or filter by process name like deploy_agent.exe.
Scenario: Legitimate Security Tool Using Remcos for Threat Hunting
Description: A security team uses Remcos as part of a threat hunting tool (e.g., OSSEC, `