The ThreatFox: Remcos IOCs rule detects potential remote access by a known RAT used for data exfiltration and command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Remcos infections before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 12 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 85[.]17[.]244[.]120:2093 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 213[.]209[.]159[.]91:2602 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 85[.]17[.]192[.]128:2404 | botnet_cc | 2026-05-20 | 75% |
| domain | myrrupr.duckdns.org | botnet_cc | 2026-05-20 | 75% |
| ip:port | 194[.]116[.]236[.]96:1515 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 178[.]211[.]155[.]150:56950 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 178[.]211[.]155[.]150:51744 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 204[.]10[.]160[.]191:2404 | botnet_cc | 2026-05-20 | 75% |
| ip:port | 5[.]101[.]81[.]163:47524 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 144[.]172[.]94[.]91:1122 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 144[.]172[.]94[.]91:2255 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 144[.]172[.]94[.]91:3333 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["85.17.192.128", "5.101.81.163", "144.172.94.91", "213.209.159.91", "194.116.236.96", "204.10.160.191", "178.211.155.150", "85.17.244.120"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["85.17.192.128", "5.101.81.163", "144.172.94.91", "213.209.159.91", "194.116.236.96", "204.10.160.191", "178.211.155.150", "85.17.244.120"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["myrrupr.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is configured to run a maintenance script that includes a command resembling Remcos IOCs (e.g., certutil.exe -urlcache -f http://internal-server/script.bat).
Filter/Exclusion: process.parent_process == "schtasks.exe" && process.command_line contains "maintenance"
Scenario: Software Update Deployment
Description: A patch management tool like Microsoft Endpoint Configuration Manager (MECM) or Chocolatey downloads a script from an internal repository that matches the IOC pattern due to a naming convention.
Filter/Exclusion: process.parent_process contains "choco.exe" || process.parent_process contains "ConfigMgr.exe"
Scenario: Admin PowerShell Script Execution
Description: A system administrator runs a PowerShell script using PowerShell ISE or PowerShell.exe that includes a command similar to Remcos IOCs (e.g., certutil.exe or curl.exe) for downloading a legitimate update.
Filter/Exclusion: process.parent_process == "powershell.exe" && process.user == "admin_user"
Scenario: Internal Repository Access
Description: A developer uses Git or curl.exe to pull code from an internal GitLab or GitHub Enterprise instance, and the command line includes a string that matches a Remcos IOC.
Filter/Exclusion: process.command_line contains "git" || process.command_line contains "curl" && process.destination contains "internal-repo"
Scenario: Log Collection via PowerShell
Description: A log collection tool like LogParser or PowerShell scripts use certutil.exe or curl.exe to retrieve logs from a central server, triggering the detection rule.
*Filter/Exclusion