Analytics Story: AgentTesla

Date: 2022-04-12 ID: 9bb6077a-843e-418b-b134-c57ef997103c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AgentTesla malware including .chm application child process, ftp/smtp connection, persistence and many more. AgentTesla is one of the advanced remote access trojans (RAT) that are capable of stealing sensitive information from the infected or targeted host machine. It can collect various types of data, including browser profile information, keystrokes, capture screenshots and vpn credentials. AgentTesla has been active malware since 2014 and often delivered as a malicious attachment in phishing emails.It is also the top malware in 2021 based on the CISA report.

Why it matters

Adversaries or threat actor may use this malware to maximize the impact of infection on the target organization in operations where network wide availability interruption is the goal.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Office Application Drop Executable Spearphishing Attachment TTP
Office Application Spawn rundll32 process Spearphishing Attachment TTP
Office Document Executing Macro Code Spearphishing Attachment TTP
Office Product Spawn CMD Process Spearphishing Attachment TTP
Office Product Spawning CertUtil Spearphishing Attachment TTP
Suspicious Driver Loaded Path Windows Service TTP
Suspicious Process File Path Create or Modify System Process TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Detect HTML Help Spawn Child Process Compiled HTML File TTP
Disabling Remote User Account Control Bypass User Account Control TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Mail Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Multi hop Proxy TOR Website Query Mail Protocols Anomaly
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Name or Location Anomaly
Windows Suspicious Driver Loaded Path Windows Service TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1