Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-09-23
- Author: Teoderick Contreras, Splunk
- ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c
Narrative
Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.
Detections
Name |
Technique |
Type |
Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
Detect Outlook exe writing a zip file |
Phishing, Spearphishing Attachment |
TTP |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Jscript Execution Using Cscript App |
Command and Scripting Interpreter, JavaScript |
TTP |
Loading Of Dynwrapx Module |
Process Injection, Dynamic-link Library Injection |
TTP |
Malicious InProcServer32 Modification |
Regsvr32, Modify Registry |
TTP |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
Possible Browser Pass View Parameter |
Credentials from Web Browsers, Credentials from Password Stores |
Hunting |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
Process Deleting Its Process File Path |
Indicator Removal |
TTP |
Process Writing DynamicWrapperX |
Command and Scripting Interpreter, Component Object Model |
Hunting |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Remcos RAT File Creation in Remcos Folder |
Screen Capture |
TTP |
Remcos client registry install entry |
Modify Registry |
TTP |
Suspicious Image Creation In Appdata Folder |
Screen Capture |
TTP |
Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
Suspicious Process Executed From Container File |
Malicious File, Masquerade File Type |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious WAV file in Appdata Folder |
Screen Capture |
TTP |
System Info Gathering Using Dxdiag Application |
Gather Victim Host Information |
Hunting |
Vbscript Execution Using Wscript App |
Visual Basic, Command and Scripting Interpreter |
TTP |
Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
Winhlp32 Spawning a Process |
Process Injection |
TTP |
Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Reference
- https://success.trendmicro.com/solution/1123281-remcos-malware-information
- https://attack.mitre.org/software/S0332/
- [https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)
source | version: 1