Remcos

 1title: Remcos
 2status: experimental
 3description: detect log.dat of remcos and registry entry
 4author: Joe Security
 5date: 2019-10-29
 6id: 200014
 7threatname: Remcos
 8behaviorgroup: 20
 9classification: 4
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        TargetFilename:
17            - '*\AppData\Roaming\remcos\logs*.dat*'
18            - '*\ProgramData\remcos\logs.dat*'
19    selection1:
20        EventID: 13
21        TargetObject:
22            - '*\Software\Remcos*exepath*'
23            - '*\Software\Rmc-*exepath*'
24            - '*\microsoft\windows\currentversion\run*remcos*'
25    condition: selection or selection1
26level: critical