Analytics Story: AsyncRAT

Date: 2023-01-24 ID: d7053072-7dd2-4874-8314-bfcbc99978a4 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.

Why it matters

although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection TTP
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Process File Path Create or Modify System Process TTP
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Powershell Cryptography Namespace PowerShell, Command and Scripting Interpreter Anomaly
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task TTP
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment, Phishing Hunting
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment, Phishing TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1