Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-07-26
  • Author: Teoderick Contreras, Splunk
  • ID: 639e6006-0885-4847-9394-ddc2902629bf

Narrative

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Detections

Name Technique Type
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Executables Or Script Creation In Suspicious Path Masquerading TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process System Binary Proxy Execution, Mshta TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell, Command and Scripting Interpreter TTP
Windows Gather Victim Host Information Camera Hardware, Gather Victim Host Information Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Anomaly
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows System Time Discovery W32tm Delay System Time Discovery Anomaly
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP

Reference

source | version: 1