Analytics Story: Remcos

Date: 2021-09-23 ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Why it matters

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Office Document Executing Macro Code	Spearphishing Attachment	TTP
Office Product Spawn CMD Process	Spearphishing Attachment	TTP
Office Product Spawning Windows Script Host	Spearphishing Attachment	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Add or Set Windows Defender Exclusion	Disable or Modify Tools	TTP
Detect Outlook exe writing a zip file	Spearphishing Attachment	TTP
Disabling Remote User Account Control	Bypass User Account Control	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Jscript Execution Using Cscript App	JavaScript	TTP
Loading Of Dynwrapx Module	Dynamic-link Library Injection	TTP
Malicious InProcServer32 Modification	Regsvr32, Modify Registry	TTP
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
Possible Browser Pass View Parameter	Credentials from Web Browsers	Hunting
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Process Writing DynamicWrapperX	Command and Scripting Interpreter, Component Object Model	Hunting
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Regsvr32 Silent and Install Param Dll Loading	Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	Regsvr32	Anomaly
Remcos client registry install entry	Modify Registry	TTP
Remcos RAT File Creation in Remcos Folder	Screen Capture	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Suspicious WAV file in Appdata Folder	Screen Capture	TTP
System Info Gathering Using Dxdiag Application	Gather Victim Host Information	Hunting
Vbscript Execution Using Wscript App	Visual Basic	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools	TTP
Windows ISO LNK File Creation	Malicious Link, Spearphishing Attachment	Hunting
Windows Office Product Loading VBE7 DLL	Spearphishing Attachment	Anomaly
Windows Office Product Spawned Uncommon Process	Spearphishing Attachment	TTP
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment	Hunting
Windows Process Execution in Temp Dir	Create or Modify System Process, Match Legitimate Name or Location	Anomaly
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Name or Location	TTP
Winhlp32 Spawning a Process	Process Injection	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://success.trendmicro.com/solution/1123281-remcos-malware-information
https://attack.mitre.org/software/S0332/
[https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)

Source: GitHub | Version: 1