Analytics Story: AgentTesla
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.
Why it matters
Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Powershell Script Block Logging 4104 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 22 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 3 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 6 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 7 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4663 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log System 7045 | Windows | xmlwineventlog |
XmlWinEventLog:System |
References
- https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
- https://cert.gov.ua/article/861292
- https://www.cisa.gov/uscert/ncas/alerts/aa22-216a
- https://www.joesandbox.com/analysis/702680/0/html
Source: GitHub | Version: 1