Analytics Story: Remcos

Updated Date: 2026-05-13 ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Why it matters

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
System Info Gathering Using Dxdiag Application	Gather Victim Host Information	Hunting
Windows Office Product Spawned Uncommon Process	Spearphishing Attachment	TTP
Loading Of Dynwrapx Module	Dynamic-link Library Injection	TTP
Remcos RAT File Creation in Remcos Folder	Screen Capture	TTP
Process Writing DynamicWrapperX	Command and Scripting Interpreter, Component Object Model	Hunting
Detect Outlook exe writing a zip file	Spearphishing Attachment	Anomaly
Remcos client registry install entry	Modify Registry	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Disabling Remote User Account Control	Bypass User Account Control	TTP
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Suspicious WAV file in Appdata Folder	Screen Capture	TTP
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools	TTP
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Malicious InProcServer32 Modification	Modify Registry, Regsvr32	TTP
Regsvr32 with Known Silent Switch Cmdline	Regsvr32	Anomaly
Add or Set Windows Defender Exclusion	Disable or Modify Tools	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	Anomaly
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Winhlp32 Spawning a Process	Process Injection	TTP
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Suspicious Process Executed From Container File	Masquerade File Type, Malicious File	TTP
Windows ISO LNK File Creation	Malicious Link, Spearphishing Attachment	Hunting
Regsvr32 Silent and Install Param Dll Loading	Regsvr32	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
Windows Process Execution in Temp Dir	Match Legitimate Resource Name or Location, Create or Modify System Process	Anomaly
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment	Hunting
Possible Browser Pass View Parameter	Credentials from Web Browsers	Hunting
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Jscript Execution Using Cscript App	JavaScript	TTP
Vbscript Execution Using Wscript App	Visual Basic	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log TaskScheduler 200	Windows	`wineventlog`	`WinEventLog:Microsoft-Windows-TaskScheduler/Operational`
Windows Event Log TaskScheduler 201	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

[https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)
https://attack.mitre.org/software/S0332/
https://success.trendmicro.com/solution/1123281-remcos-malware-information

Source: GitHub | Version: 2