Analytics Story: ValleyRAT

Date: 2024-09-11 ID: e9703322-5462-4c4a-a427-b9895c1472de Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might be related to ValleyRAT malware. ValleyRAT is a remote access trojan (RAT) known for targeting specific organizations and individuals to gain unauthorized access to systems. It enables attackers to execute commands, steal sensitive data, and manipulate files. This malware often uses phishing emails or malicious attachments to infect systems. Detecting ValleyRAT early is crucial to preventing data breaches and further exploitation. Analysts can use behavioral analysis and signature-based detection to mitigate its impact.

Why it matters

ValleyRAT is a stealthy remote access trojan (RAT) used by cybercriminals to gain unauthorized control over compromised systems. It often infiltrates targets through phishing emails or malicious attachments, allowing attackers to execute commands, steal sensitive information, manipulate files, and monitor user activities remotely. Once inside, ValleyRAT can evade detection by blending in with legitimate processes, making it challenging to identify.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable AV AutoStart via Registry Modify Registry TTP
Windows Modify Registry Utilize ProgIDs Modify Registry Anomaly
Windows Modify Registry ValleyRAT C2 Config Modify Registry TTP
Windows Modify Registry ValleyRat PWN Reg Entry Modify Registry TTP
Windows Scheduled Task DLL Module Loaded Scheduled Task/Job TTP
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1