Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-04-12
- Author: Teoderick Contreras, Splunk
- ID: 9bb6077a-843e-418b-b134-c57ef997103c
Narrative
Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.
Detections
Name |
Technique |
Type |
Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
Detect HTML Help Spawn Child Process |
System Binary Proxy Execution, Compiled HTML File |
TTP |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Office Application Drop Executable |
Phishing, Spearphishing Attachment |
TTP |
Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
TTP |
PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Windows Driver Load Non-Standard Path |
Rootkit, Exploitation for Privilege Escalation |
TTP |
Windows Drivers Loaded by Signature |
Rootkit, Exploitation for Privilege Escalation |
Hunting |
Windows File Transfer Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
Windows Mail Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows Multi hop Proxy TOR Website Query |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
Reference
source | version: 1