Analytics Story: AsyncRAT

Date: 2023-01-24 ID: d7053072-7dd2-4874-8314-bfcbc99978a4 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.

Why it matters

although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Process File Path Create or Modify System Process TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Execution of File with Multiple Extensions Rename System Utilities TTP
Loading Of Dynwrapx Module Dynamic-link Library Injection TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Processing Stream Of Data PowerShell TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline Regsvr32 Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Suspicious Copy on System32 Rename System Utilities TTP
Vbscript Execution Using Wscript App Visual Basic TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows Powershell Cryptography Namespace PowerShell Anomaly
Windows Scheduled Task with Highest Privileges Scheduled Task TTP
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1