Threat Hunt: Validating EDR Effectiveness Against Low Noise Remote Access Threats

29 January, 2026

Cyber

1. Executive Summary

Endpoint Detection and Response (EDR) platforms have significantly raised the bar for attackers. Known malware, commodity tools, and noisy post exploitation activity are routinely detected and blocked. However, modern adversaries have adapted. This threat hunting engagement was designed to answer a critical leadership question:

“If our EDR is deployed correctly and nothing is alerting, are we actually safe?”

To validate this assumption, we conducted a hypothesis driven threat hunt focused on identifying potential EDR blind spots specifically, attacker behaviours that prioritise stealth, persistence, and long-term access over disruption.

Using Remcos style remote access tradecraft as a representative example, we evaluated whether low noise user space activity could persist in an EDR protected environment without triggering high confidence alerts.

The hunt demonstrated that while EDR platforms are highly effective at detecting known malicious tooling, human led threat hunting remains essential to validate assumptions, uncover weak signals, and build confidence in security posture.

2. Why This Hunt Matters?

Recent threat intelligence from our trusted sources indicates an increased use of Remcos-style remote access trojans targeting financial sector organisations in Australia over the last 90 days. These campaigns favour low-noise, persistence-focused access rather than disruptive activity, making them well-suited to evade purely alert-driven defences.

For threats of this nature, most organisations rely heavily on reactive EDR alerts. This approach carries an implicit assumption:

“If no alert has fired, no threat is present”

This assumption does not consistently hold true against modern remote access tooling. In reality,

Some attackers are patient, quiet, and intentional
Business-critical data can be accessed without service disruption or outages
Long-dwell compromises often surface only as contextual signals, not discrete alerts

Remcos was deliberately selected for this hunt because it represents a realistic, financially motivated threat currently observed in the Australian financial sector:

Frequently delivered via phishing and initial access brokers
Designed to blend into legitimate user activity
Capable of persistence, credential access, and remote command execution with minimal noise

Rather than hunting Remcos as a specific malware family, this engagement used Remcos as a proxy for a broader class of low-noise remote access threats.

3. Hunt Objective & Hypothesis

Objective

To validate whether a determined attacker using low noise remote access techniques could:

Execute from user writable locations
Maintain persistence
Communicate externally
Avoid triggering high severity EDR alerts

Hypothesis

If an attacker uses legitimate Windows binaries, minimal network traffic, and user space persistence mechanisms, their activity may not generate actionable EDR alerts and must be identified through proactive hunting.

This hypothesis was intentionally tool agnostic and focused on attacker behaviour, not malware signatures.

4. Threat Model: Remcos Style Tradecraft

Remcos is a well-known remote access tool frequently observed in espionage, credential theft, and long dwell access campaigns. While Remcos itself is widely detected, its tradecraft remains relevant.

The hunt focused on behaviors commonly associated with this class of threat:

Execution from user writable directories (AppData, Temp)
Abuse of legitimate Windows binaries (LOLBins)
DLL based or lightweight payload execution
Registry based persistence
Low volume outbound network communication

Note: The goal was not to detect Remcos specifically, but to identify Remcos like behaviors that could evade automated detection.

5. Data Sources and Visibility

This hunt leveraged native EDR telemetry, including:

Process creation and command line arguments
File creation and execution paths
Registry modification events
Parent child process relationships
Outbound network connections
Process lineage and execution timelines

All analysis was conducted using existing EDR visibility without deploying additional agents or tools.

6. Hunt Methodology

We followed a structured, repeatable approach:

Baseline expected behaviour for endpoints and users
Identify deviations aligned with low noise attacker tradecraft
Pivot through process lineage to validate intent
Correlate weak signals across execution, persistence, and network activity
Apply human context to distinguish malicious behaviour from legitimate administrative activity

This approach emphasises validation over alert chasing.

7. Hunt Area

Hunt#1: Execution of DLLs or binaries from user writable paths using Windows LOLBins.

This hunt focused on identifying abuse of trusted Windows utilities (LOLBins) to execute payloads from user-writable directories such as AppData and Temp. We built layered queries correlating parent, source, and target processes, command-line patterns, and execution paths to separate legitimate administrative activity from high-confidence malicious tradecraft designed to blend into normal system behaviour.

Hunt#2: Registry based persistence pointing to non-standard execution paths on windows devices

This hunt aimed to detect persistence mechanisms where registry auto-start entries referenced executables outside standard system directories. We developed complex filters to normalise quoted paths and command-line arguments, exclude known-good system locations, and surface registry values that would cause Windows to automatically execute binaries from user-writable or uncommon locations at logon or startup.

8. What We Observed?

While no confirmed active Remcos infection was identified during this hunt, the engagement produced clear, evidence-based outcomes directly tied to Remcos-style tradecraft. These outcomes validate defensive posture against a realistic and relevant threat model, rather than relying on assumptions.

8.1 No evidence of active Remcos execution, including:

No DLL-based RAT execution from user-writable directories (e.g., AppData, Temp)
No sustained remote access processes consistent with Remcos behavior
No registry-based persistence pointing to suspected RAT payloads

Outcome
The threat hunt provides high confidence that the environment is not currently compromised by this class of low-noise RAT, reducing the risk of silent credential theft or long-term unauthorised access.

8.2 Validation of EDR Effectiveness Against Known Remcos Tradecraft

The hunt validated that existing EDR controls are effective at detecting and containing known Remcos techniques, including:

Execution via common LOLBins (e.g., rundll32, regsvr32)
User-space payload execution patterns historically associated with Remcos
No missed high-confidence detections or suppressed alerts related to this tradecraft were identified.

Outcome
Confirms that current EDR configuration and policies are appropriately tuned to handle known RAT-based threats without requiring immediate changes.

8.3 Identification of Remcos-Relevant Weak Signals

The hunt surfaced low-signal activity patterns that did not represent confirmed compromise but are relevant to Remcos-style attacks, including:

Legitimate use of rundll32 and PowerShell in user context
Rare execution patterns from user-writable locations
While benign in this case, these patterns mirror early-stage Remcos activity and would warrant rapid validation if observed in combination.

Outcome
Improves detection readiness by clearly defining what “early warning signs” would look like before a RAT establishes persistence.

8.4 Validation of Exposure Points Commonly Abused by Remcos

The hunt confirmed the presence of legitimate administrative and operational behaviors that could be abused by Remcos operators if initial access were achieved, such as:

Allowed execution from user-writable directories
Legitimate persistence mechanisms available to standard users
These behaviors are not misconfigurations but represent inherent exposure points.

Outcome

Enables informed, risk-based decisions on whether to harden controls further or formally accept residual risk.

8.5 Improved Confidence in Detecting Long-Dwell RAT Activity

By specifically testing for Remcos-style long-dwell behavior, the organisation now has:

A clearer understanding of what sustained RAT presence would look like in telemetry
Validated escalation criteria for suspicious but low-noise activity
Improved analyst confidence in distinguishing benign anomalies from stealthy access

Outcome
Reduces uncertainty during future investigations and shortens time-to-certainty if similar activity is observed.

9. Key Insight for Leadership

The absence of Remcos is a verified outcome, not an assumption.

This hunt demonstrated that Remcos-style remote access activity would likely surface through a combination of weak signals before becoming an incident. By validating this proactively, the organisation reduced the risk of silent compromise and strengthened confidence in its defensive posture.

It also shortens time-to-certainty during real incidents and improves executive confidence in security response capabilities. At last, this hunt provided assurance that critical defensive assumptions were tested and validated before an attacker could

10. Defensive Recommendations

Based on the outcomes of this Remcos focused blind spot validation hunt, the following recommendations are directly grounded in observed telemetry and validated exposure points, rather than generic best practices.

10.1 Strengthen Monitoring of User Space Execution Paths

The hunt confirmed that user writable directories (e.g., AppData, Temp) remain viable execution locations that could be abused by Remcos style RATs.

Recommended Action:

Increase monitoring and alerting fidelity for execution originating from user space paths
Prioritise correlation when such execution is combined with LOLBins (e.g., rundll32, regsvr32)

Risk Reduced:
Early identification of RAT staging activity before persistence is established.

10.2 Formalise Escalation Criteria for Low Signal RAT Indicators

Several Remcos relevant behaviours were observed that were benign in isolation but meaningful in combination.

Recommended Action:

Define explicit escalation criteria for clustered weak signals (e.g., user space execution + registry modification + outbound connection)
Ensure analysts are empowered to escalate contextual suspicion, not just alerts

Risk Reduced:
Reduces dwell time for stealthy remote access tooling that avoids single event detection.

10.3 Validate Persistence Controls Against Legitimate Abuse Paths

The hunt confirmed that standard user level persistence mechanisms remain available and could be leveraged by Remcos operators post compromise.

Recommended Action:

Periodically review registry based and startup persistence telemetry
Apply stricter scrutiny to persistence pointing to non‑standard locations

Risk Reduced:
Limits the ability of RATs to maintain long term access without detection.

10.4 Institutionalise Periodic Blindspot Validation Hunts

This engagement demonstrated that assurance comes from testing assumptions, not relying on tool coverage claims.

Recommended Action:

Conduct periodic hypothesis driven hunts focused on long dwell, low noise threats
Rotate threat models (RATs, credential access, insider abuse) rather than repeating IOC based hunts

Risk Reduced:
Prevents security posture drift and ensures controls remain effective as attacker tradecraft evolves.

11. Compliance Contribution

From a governance and risk perspective, this hunt supports meeting various compliance controls in multiple regulations and compliance frameworks such as A.5.24, A.5.25, A.5.26 in ISO 270001, CPS 234 30(c), 32 in APRA 234, Incident Response controls in Essential 8 controls , CC7.4, CC7.5 in SOC 2 etc

Orro Group delivers proactive threat hunting, incident response, 24×7 security monitoring and security assurance services focused on real‑world attacker behaviour. Ready to test your assumptions? Speak with Orro’s threat hunting team to schedule a blind‑spot validation engagement.