GitHub Repo

Analytics Story: AgentTesla

Updated Date: 2026-05-13 ID: 9bb6077a-843e-418b-b134-c57ef997103c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.

Why it matters

Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Disabling Remote User Account Control Bypass User Account Control TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Detect HTML Help Spawn Child Process Compiled HTML File TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows Multi hop Proxy TOR Website Query Mail Protocols Anomaly
Windows Suspicious Driver Loaded Path Windows Service TTP
Windows Mail Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Windows Process Execution in Temp Dir Match Legitimate Resource Name or Location, Create or Modify System Process Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 2