Analytics Story: AsyncRAT

Updated Date: 2026-05-13 ID: d7053072-7dd2-4874-8314-bfcbc99978a4 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It's designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.

Why it matters

although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Powershell Processing Stream Of Data	PowerShell	TTP
Malicious PowerShell Process - Execution Policy Bypass	PowerShell	Anomaly
Loading Of Dynwrapx Module	Dynamic-link Library Injection	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Windows Spearphishing Attachment Onenote Spawn Mshta	Spearphishing Attachment	TTP
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Windows Scheduled Task with Highest Privileges	Scheduled Task	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Powershell Fileless Script Contains Base64 Encoded Content	Obfuscated Files or Information, PowerShell	TTP
Vbscript Execution Using Wscript App	Visual Basic	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Execution of File with Multiple Extensions	Rename Legitimate Utilities	TTP
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token	Anomaly
Regsvr32 Silent and Install Param Dll Loading	Regsvr32	Anomaly
Windows Powershell Cryptography Namespace	PowerShell	Anomaly
PowerShell Loading DotNET into Memory via Reflection	PowerShell	Anomaly
Suspicious Copy on System32	Rename Legitimate Utilities	Anomaly
Windows Spearphishing Attachment Connect To None MS Office Domain	Spearphishing Attachment	Hunting
Regsvr32 with Known Silent Switch Cmdline	Regsvr32	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Recon Using WMI Class	PowerShell, Gather Victim Host Information	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log TaskScheduler 201	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log TaskScheduler 200	Windows	`wineventlog`	`WinEventLog:Microsoft-Windows-TaskScheduler/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4703	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2