GitHub Repo

Analytics Story: PlugX

Updated Date: 2026-05-13 ID: a2c94c99-b93b-4bc7-a749-e2198743d0d6 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

PlugX, also referred to as "PlugX RAT" or "Kaba," is a highly sophisticated remote access Trojan (RAT) discovered in 2012. This malware is notorious for its involvement in targeted cyberattacks, primarily driven by cyber espionage objectives. PlugX provides attackers with comprehensive remote control capabilities over compromised systems, granting them the ability to execute commands, collect sensitive data, and manipulate the infected host.

Why it matters

PlugX, known as the "silent infiltrator of the digital realm, is a shadowy figure in the world of cyber threats. This remote access Trojan (RAT), first unveiled in 2012, is not your run-of-the-mill malware. It's the go-to tool for sophisticated hackers with one goal in mind, espionage. PlugX's repertoire of capabilities reads like a spy thriller. It doesn't just breach your defenses; it goes a step further, slipping quietly into your systems, much like a ghost. Once inside, it opens the door to a world of possibilities for cybercriminals. With a few keystrokes, they can access your data, capture your screen, and silently watch your every move. In the hands of skilled hackers, it's a versatile instrument for cyber espionage. This malware thrives on persistence. It's not a one-time hit; it's in it for the long haul. Even if you reboot your system, PlugX remains, ensuring that its grip on your infrastructure doesn't waver.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Suspicious writes to windows Recycle Bin Masquerading TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Debugger Tool Execution Masquerading Hunting
Windows Masquerading Msdtc Process Masquerading TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Office Product Spawned Child Process For Download Spearphishing Attachment TTP
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows Service Created with Suspicious Service Name Service Execution Anomaly
Windows Service Deletion In Registry Service Stop Anomaly
Windows Replication Through Removable Media Replication Through Removable Media TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 3