Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the DcRat malware including ddos, spawning more process, botnet c2 communication, defense evasion and etc. The DcRat malware is known commercial backdoor that was first released in 2018. This tool was sold in underground forum and known to be one of the cheapest commercial RATs. DcRat is modular and bespoke plugin framework make it a very flexible option, helpful for a range of nefearious uses.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2022-07-26
- Author: Teoderick Contreras, Splunk
- ID: 639e6006-0885-4847-9394-ddc2902629bf
Narrative
Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.
Detections
| Name |
Technique |
Type |
| Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process - Execution Policy Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell, Command and Scripting Interpreter |
TTP |
| Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
| Windows Gather Victim Host Information Camera |
Hardware, Gather Victim Host Information |
Anomaly |
| Windows Gather Victim Network Info Through Ip Check Web Services |
IP Addresses, Gather Victim Network Information |
Hunting |
| Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
| Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
Anomaly |
| Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
TTP |
| Windows System LogOff Commandline |
System Shutdown/Reboot |
Anomaly |
| Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
| Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
| Windows System Time Discovery W32tm Delay |
System Time Discovery |
Anomaly |
| Winword Spawning Cmd |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning PowerShell |
Phishing, Spearphishing Attachment |
TTP |
Reference
source | version: 1