forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathremcos.yml
More file actions
23 lines (23 loc) · 1.15 KB
/
remcos.yml
File metadata and controls
23 lines (23 loc) · 1.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
name: Remcos
id: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c
version: 1
date: '2021-09-23'
author: Teoderick Contreras, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the Remcos RAT trojan, including looking for file writes associated
with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..
narrative: Remcos or Remote Control and Surveillance, marketed as a legitimate software for
remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.
references:
- https://success.trendmicro.com/solution/1123281-remcos-malware-information
- https://attack.mitre.org/software/S0332/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.
tags:
analytic_story: Remcos
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection