The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that may have already bypassed initial detection mechanisms.
IOC Summary
Malware Family: Remcos Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 84[.]21[.]189[.]225:58268 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 5[.]101[.]81[.]2:51842 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 2[.]26[.]75[.]250:6448 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 188[.]137[.]181[.]111:53863 | botnet_cc | 2026-05-18 | 75% |
| ip:port | 130[.]49[.]214[.]92:53522 | botnet_cc | 2026-05-18 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["188.137.181.111", "130.49.214.92", "5.101.81.2", "84.21.189.225", "2.26.75.250"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["188.137.181.111", "130.49.214.92", "5.101.81.2", "84.21.189.225", "2.26.75.250"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled task runs a script that uses remcos.exe as part of a system monitoring tool (e.g., a custom script for log analysis).
Filter/Exclusion: Exclude processes where the full path contains C:\Program Files\MonitoringTool\ or where the parent process is schtasks.exe.
Scenario: Admin Task to Deploy Remcos for Remote Management
Description: An administrator uses remcos.exe as part of a remote management tool (e.g., a custom remote desktop solution) to manage endpoints.
Filter/Exclusion: Exclude processes where the command line includes --remote-manage or where the parent process is taskmgr.exe.
Scenario: Legitimate Use of Remcos in a Security Research Environment
Description: A security team uses remcos.exe in a sandboxed environment to analyze malware behavior.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., C:\Windows\System32\sandbox\ or processes with vmtoolsd.exe as parent).
Scenario: System Update or Patching Tool Using Remcos
Description: A third-party patching tool (e.g., Microsoft System Center Configuration Manager) uses remcos.exe for remote deployment.
Filter/Exclusion: Exclude processes where the command line includes --patch or where the parent process is msiexec.exe.
Scenario: Legitimate Use of Remcos in a DevOps Pipeline
Description: A CI/CD pipeline (e.g., Jenkins or GitLab) uses remcos.exe to execute scripts on remote servers.
Filter/Exclusion: Exclude processes where the command line includes --ci or where the parent process is `jenkins