Try in Splunk Security Cloud


PlugX, also referred to as “PlugX RAT” or “Kaba,” is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-10-12
  • Author: Teoderick Contreras, Splunk
  • ID: a2c94c99-b93b-4bc7-a749-e2198743d0d6


PlugX, known as the “silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It’s the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX’s repertoire of capabilities reads like a spy thriller. It doesn’t just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it’s a versatile instrument for cyber espionage. This malware thrives on persistence. It’s not a one-time hit; it’s in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn’t waver.


Name Technique Type
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious writes to windows Recycle Bin Masquerading TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Masquerading Msdtc Process Masquerading TTP
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Deletion In Registry Service Stop Anomaly


source | version: 2