The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 5 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 67[.]180[.]188[.]88:443 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 155[.]103[.]71[.]115:14549 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 146[.]185[.]233[.]71:41254 | botnet_cc | 2026-05-12 | 75% |
| domain | wemovetoanewrelablesourcewhichverymanans.duckdns.org | botnet_cc | 2026-05-12 | 100% |
| ip:port | 155[.]103[.]71[.]115:14548 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["146.185.233.71", "155.103.71.115", "67.180.188.88"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["146.185.233.71", "155.103.71.115", "67.180.188.88"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["wemovetoanewrelablesourcewhichverymanans.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Remcos for System Monitoring
Description: A system administrator has configured a scheduled job using Remcos to monitor system performance and collect logs.
Filter/Exclusion: Exclude processes where the parent process is a known system monitoring tool (e.g., task scheduler, logparser.exe, or perfmon.exe).
Scenario: IT Admin Using Remcos for Remote Management
Description: An IT admin is using Remcos as part of a remote management solution to troubleshoot user machines.
Filter/Exclusion: Exclude processes initiated from known IT management consoles (e.g., Microsoft Remote Desktop, TeamViewer, or AnyDesk) or where the user is a domain admin with a known ticket.
Scenario: Security Tool Integration with Remcos for Threat Intelligence
Description: A security tool (e.g., CrowdStrike or Microsoft Defender) is using Remcos as part of its threat intelligence integration to fetch indicators of compromise.
Filter/Exclusion: Exclude processes where the parent process is a known security tool or where the process is initiated via a trusted API or integration.
Scenario: Legitimate Software Deployment Using Remcos
Description: A software deployment tool (e.g., Chocolatey or SCCM) is using Remcos as part of its deployment process to install or update applications.
Filter/Exclusion: Exclude processes where the parent process is a known deployment tool or where the command line includes deployment-related arguments (e.g., /install, /update).
Scenario: User-Initiated File Transfer Using Remcos
Description: A user is using Remcos to transfer files between systems as part of a legitimate data migration or backup process.
Filter/Exclusion: Exclude processes where