Analytics Story: Remcos

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Why it matters

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Hunting
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Process Deleting Its Process File Path Indicator Removal TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remcos client registry install entry Modify Registry TTP
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
System Info Gathering Using Dxdiag Application Gather Victim Host Information Hunting
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Winhlp32 Spawning a Process Process Injection TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1