Analytics Story: AgentTesla

Date: 2022-04-12 ID: 9bb6077a-843e-418b-b134-c57ef997103c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.

Why it matters

Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Mail Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows Multi hop Proxy TOR Website Query Mail Protocols, Application Layer Protocol Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1