Analytics Story: PlugX

Date: 2023-10-12 ID: a2c94c99-b93b-4bc7-a749-e2198743d0d6 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.

Why it matters

PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol, Remote Services	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Firewall Allowed Program Enable	Disable or Modify System Firewall, Impair Defenses	Anomaly
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Office Application Drop Executable	Phishing, Spearphishing Attachment	TTP
Office Document Executing Macro Code	Phishing, Spearphishing Attachment	TTP
Office Document Spawned Child Process To Download	Phishing, Spearphishing Attachment	TTP
Office Product Spawn CMD Process	Phishing, Spearphishing Attachment	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious writes to windows Recycle Bin	Masquerading	TTP
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token, Access Token Manipulation	Anomaly
Windows Debugger Tool Execution	Masquerading	Hunting
Windows Masquerading Msdtc Process	Masquerading	TTP
Windows Replication Through Removable Media	Replication Through Removable Media	TTP
Windows Service Created with Suspicious Service Path	System Services, Service Execution	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	TTP
Windows Service Deletion In Registry	Service Stop	Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path	DLL Side-Loading, Hijack Execution Flow	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4703	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`xmlwineventlog`	`XmlWinEventLog:System`

References

Source: GitHub | Version: 2