The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 78[.]47[.]143[.]18:8053 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 5[.]101[.]81[.]81:6448 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 45[.]153[.]34[.]51:58001 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 193[.]169[.]194[.]19:8264 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 144[.]91[.]78[.]57:9008 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 138[.]9[.]237[.]106:8015 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["5.101.81.81", "78.47.143.18", "138.9.237.106", "45.153.34.51", "193.169.194.19", "144.91.78.57"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.81.81", "78.47.143.18", "138.9.237.106", "45.153.34.51", "193.169.194.19", "144.91.78.57"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the Remcos IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude tasks with TaskName containing “SystemMaintenance” or “ScheduledTask” and verify the file path against known system directories like C:\Windows\Tasks\.
Scenario: Admin Tool for Remote Management
Description: An admin uses a remote management tool like PsExec or PSTools to execute commands on remote systems, which may trigger the Remcos IOC due to similar command-line arguments.
Filter/Exclusion: Exclude processes with ProcessName matching PsExec.exe or PSTools.exe and check for the presence of a valid admin account or domain context.
Scenario: Legitimate Software Deployment via SCCM
Description: A software deployment via Microsoft System Center Configuration Manager (SCCM) includes a package that matches the Remcos IOC due to shared file names or hashes.
Filter/Exclusion: Exclude processes with ProcessName containing “CCM” or “SCCM” and verify the file hash against the SCCM deployment database.
Scenario: Backup Job Using Veeam or Acronis
Description: A backup job using Veeam or Acronis may generate files or logs that resemble Remcos IOCs due to similar naming conventions or file types.
Filter/Exclusion: Exclude processes with ProcessName matching “Veeam” or “Acronis” and check the file extension or directory path for backup-related patterns.
Scenario: PowerShell Script for Log Collection
Description: A PowerShell script used for log collection or monitoring may trigger the Remcos IOC due to similar command structures or file paths.
*Filter/Ex