GitHub Repo

Analytics Story: Quasar RAT

Date: 2025-07-16 ID: 0e75c517-fe19-491a-859d-f8b7494a8aa2 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that help you detect and investigate unusual activities potentially associated with Quasar RAT. These includes processes accessing FileZilla XML configuration files (which may store FTP credentials for exfiltration), loading Mozilla NSS and Mozglue libraries (often targeted for DLL side-loading attacks to evade detection), steal credential via browsers and accessing Intelliform Storage Registry keys used by Internet Explorer (which can contain saved credentials and autocomplete data valuable for credential theft).

Why it matters

Quasar RAT is an open-source remote access Trojan (RAT) written in .NET, widely used by both cybercriminals and advanced threat actors for espionage, credential theft, and lateral movement. First appearing around 2014, Quasar offers a rich feature set including remote desktop control, file management, keylogging, and password dumping. Its open-source nature makes it easy for attackers to customize and rebrand, complicating attribution efforts. Quasar is often delivered through phishing emails, malicious attachments, or cracked software, establishing persistence via registry keys or scheduled tasks. Once installed, it communicates with command-and-control servers over configurable ports, often using encrypted channels to evade network detection.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CHCP Command Execution Command and Scripting Interpreter Anomaly
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Ping Sleep Batch Command Time Based Evasion Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Schtasks scheduling job on remote system Scheduled Task TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Mark Of The Web Bypass Mark-of-the-Web Bypass TTP
Windows Scheduled Task with Highest Privileges Scheduled Task TTP
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Unusual FileZilla XML Config Access Credentials In Files Anomaly
Windows Unusual Intelliform Storage Registry Access Credentials In Files Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module CMSTP Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1