Analytics Story: Remcos

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Why it matters

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Jscript Execution Using Cscript App JavaScript TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Winhlp32 Spawning a Process Process Injection TTP
Remcos client registry install entry Modify Registry TTP
Loading Of Dynwrapx Module Dynamic-link Library Injection TTP
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
System Info Gathering Using Dxdiag Application Gather Victim Host Information Hunting
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools Anomaly
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Process Execution in Temp Dir Match Legitimate Resource Name or Location, Create or Modify System Process Anomaly
Detect Outlook exe writing a zip file Spearphishing Attachment Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Suspicious Process Executed From Container File Masquerade File Type, Malicious File TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Process Deleting Its Process File Path Indicator Removal TTP
Possible Browser Pass View Parameter Credentials from Web Browsers Hunting
Regsvr32 with Known Silent Switch Cmdline Regsvr32 Anomaly
Vbscript Execution Using Wscript App Visual Basic TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Disabling Remote User Account Control Bypass User Account Control TTP
Malicious InProcServer32 Modification Modify Registry, Regsvr32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References


Source: GitHub | Version: 2