Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the AsyncRAT malware including mshta application child process, bat loader execution, persistence and many more. AsyncRAT is an open source remote administration tool released last 2019. It’s designed to remotely control computers via an encrypted connection, with view screen, keylogger, chat communication, persistence, defense evasion (e.g. Windows defender), DOS attack and many more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-01-24
- Author: Teoderick Contreras, Splunk
- ID: d7053072-7dd2-4874-8314-bfcbc99978a4
Narrative
although this project contains legal disclaimer, Adversaries or threat actors are popularly used in some attacks. This malware recently came across a Fully undetected batch script loader that downloads and loads the AsyncRAT from its C2 server. The batch script is obfuscated and will load a powershell loader that will decode and decrypt (AES256) the actual AsyncRAT malware.
Detections
| Name |
Technique |
Type |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Execution of File with Multiple Extensions |
Masquerading, Rename System Utilities |
TTP |
| Loading Of Dynwrapx Module |
Process Injection, Dynamic-link Library Injection |
TTP |
| Malicious PowerShell Process - Execution Policy Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
Anomaly |
| Vbscript Execution Using Wscript App |
Visual Basic, Command and Scripting Interpreter |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
Anomaly |
| Windows Powershell Cryptography Namespace |
PowerShell, Command and Scripting Interpreter |
Anomaly |
| Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
TTP |
| Windows Spearphishing Attachment Connect To None MS Office Domain |
Spearphishing Attachment, Phishing |
Hunting |
| Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment, Phishing |
TTP |
Reference
source | version: 1