This detection rule aims to identify the presence and execution of the REMCOS Remote Access Trojan (RAT) on Windows endpoints. REMCOS is a malicious remote access tool used by attackers to control infected systems, thus enabling unauthorized access and potentially harmful activities. The rule leverages specific indicators of compromise (IOCs) such as file deletion patterns in the Temp folder, specific log files associated with REMCOS in user directories, and anomalous registry entries that suggest persistence mechanisms used by the malware. When invoked, it scans for these patterns in real-time to alert security operations to potential REMCOS activity. Additional context and investigation guidance are provided, advocating for isolation of affected systems, termination of suspicious processes, and enhanced logging for similar tools to prevent future exploits. This proactive monitoring strategy reflects the high severity of detected threats and their risk implications, assigned a risk score of 73. The detection relies on data sourced from various logs across systems including Elastic Endgame, Microsoft Defender, and Sysmon to ensure reliability and comprehensiveness in threat detection.