The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 32 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]227[.]219[.]75:2404 | botnet_cc | 2026-05-08 | 75% |
| domain | kakazz.myftp.org | botnet_cc | 2026-05-08 | 75% |
| domain | cestfininewdns.vip | botnet_cc | 2026-05-08 | 75% |
| ip:port | 82[.]38[.]148[.]254:5902 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 82[.]38[.]148[.]254:5903 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 83[.]143[.]58[.]253:8015 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 69[.]197[.]150[.]245:2404 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]252[.]179[.]132:1616 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]95:4034 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]99:7192 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]70:2428 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]41:3305 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]103:8834 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]83[.]117:8374 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]103:2428 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]86[.]103:6913 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]82[.]226:3581 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 5[.]101[.]81[.]23:4315 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 45[.]23[.]73[.]4:5645 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 31[.]57[.]216[.]62:2404 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 209[.]99[.]186[.]98:2404 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 198[.]46[.]173[.]6:2208 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 179[.]0[.]178[.]240:2404 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 170[.]168[.]103[.]124:5342 | botnet_cc | 2026-05-08 | 75% |
| ip:port | 172[.]245[.]209[.]227:443 | botnet_cc | 2026-05-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["170.168.103.124", "198.46.173.6", "172.245.209.227", "138.9.226.206", "82.38.148.254", "103.83.87.81", "5.101.86.103", "138.9.118.8", "5.101.86.41", "31.57.216.62", "5.101.82.226", "146.185.239.55", "69.197.150.245", "192.227.219.75", "45.23.73.4", "5.101.86.95", "5.101.81.23", "83.143.58.253", "103.83.87.7", "5.101.86.99", "5.101.83.117", "5.252.179.132", "5.101.86.70", "179.0.178.240", "138.9.216.212", "138.9.41.75", "209.99.186.98"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["170.168.103.124", "198.46.173.6", "172.245.209.227", "138.9.226.206", "82.38.148.254", "103.83.87.81", "5.101.86.103", "138.9.118.8", "5.101.86.41", "31.57.216.62", "5.101.82.226", "146.185.239.55", "69.197.150.245", "192.227.219.75", "45.23.73.4", "5.101.86.95", "5.101.81.23", "83.143.58.253", "103.83.87.7", "5.101.86.99", "5.101.83.117", "5.252.179.132", "5.101.86.70", "179.0.178.240", "138.9.216.212", "138.9.41.75", "209.99.186.98"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["kakazz.myftp.org", "cestfininewdns.vip"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance job that uses a tool like PowerShell or Task Scheduler to clean up temporary files or update system configurations.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or PowerShell with known maintenance scripts (e.g., Cleanup-Item or Get-ChildItem with specific paths).
Scenario: Software Deployment via SCCM
Description: A software deployment using Microsoft System Center Configuration Manager (SCCM) includes a package that matches the Remcos IOC signature due to similar file names or paths.
Filter/Exclusion: Exclude processes launched by ccmexec or smsexec and filter by known SCCM deployment paths (e.g., C:\Windows\Temp\SCCM).
Scenario: Legitimate Remote Management Tool Usage
Description: A security team uses a legitimate remote management tool like PsExec or Remote Desktop Services to perform administrative tasks on remote systems.
Filter/Exclusion: Exclude processes initiated by PsExec or mstsc.exe, and filter by known remote management IPs or user accounts (e.g., admin, svc_account).
Scenario: Antivirus Quarantine Process
Description: An endpoint protection solution (e.g., Bitdefender, Kaspersky) quarantines a file that matches a Remcos IOC due to false positive detection.
Filter/Exclusion: Exclude processes associated with antivirus quarantine operations (e.g., quarantine.exe, avp.exe) and filter by known quarantine directories (e.g., C:\ProgramData\Bitdefender\Quarantine).
Scenario: Legitimate Log Collection and Analysis
Description: A log collection tool like `LogParser