The ThreatFox: Remcos IOCs rule detects potential adversary activity associated with the Remcos remote access trojan, which is commonly used for long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns that leverage Remcos for unauthorized access and lateral movement.
IOC Summary
Malware Family: Remcos Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]111[.]232[.]239:29810 | botnet_cc | 2026-05-06 | 100% |
| ip:port | 5[.]101[.]86[.]41:2428 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 5[.]101[.]86[.]41:6448 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 5[.]101[.]86[.]104:1334 | botnet_cc | 2026-05-06 | 75% |
| ip:port | 103[.]82[.]193[.]51:443 | botnet_cc | 2026-05-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["103.82.193.51", "5.101.86.104", "5.101.86.41", "172.111.232.239"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.82.193.51", "5.101.86.104", "5.101.86.41", "172.111.232.239"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Remcos for remote management
Description: A system administrator uses Remcos as part of a legitimate remote management tool to monitor and manage remote servers.
Filter/Exclusion: Exclude processes initiated by a known remote management tool (e.g., PsExec, TeamViewer, or LogMeIn) or filter by user account (e.g., admin, sysadmin).
Scenario: Security tool or SIEM agent using Remcos for data collection
Description: A security tool or SIEM agent (e.g., Splunk, ELK Stack, or Microsoft Sentinel) uses Remcos to collect system logs or metrics.
Filter/Exclusion: Exclude processes with parent process names associated with SIEM tools (e.g., splunkd, logstash, msesshost) or filter by process command line arguments containing known data collection keywords.
Scenario: System update or patching using Remcos
Description: A system update or patching process (e.g., Windows Update, WSUS, or Ansible) uses Remcos to execute scripts or install updates.
Filter/Exclusion: Exclude processes with command line arguments related to patching or updates (e.g., wuauclt, msiexec, ansible-playbook) or filter by parent process names like svchost or taskeng.
Scenario: Legitimate remote desktop or RDP session
Description: A user connects via Remote Desktop Protocol (RDP) and the session is managed using Remcos for remote access.
Filter/Exclusion: Exclude processes initiated by RDP services (e.g., mstsc, rdpclip, termsrv) or filter by user account associated with legitimate remote access (e.g., `rdp