08-14-2020 11:09 AM - edited 02-11-2021 06:42 AM
What's worse than a RAT? Multiple!
RATs are also known as Remote Access Trojans. They allow attackers to place backdoors on infected system. This gives them a foothold into your environment to further their attack to monitor keystrokes, collect video footage from webcams and upload/execute follow-on malware.
Now you suspect that there may be RAT in your network but are unsure of where or you want to keep an eye on things, but you have hundreds of Endpoints to check to make sure they are not infected. Where do you start? Using TALOS and Cisco Orbital, we can narrow down the list of commands you want to first run when hunting RATS.
So, before we start running Orbital commands or pour through the hundreds of available queries we should first create a baseline of what commands we should be running and what of those is actual helpful? Let’s build a profile for what we are hunting and to get us moving, we are going to look at the behavior of a few different RATS:
In this particular situation we are going to model our criteria around these. Hopping on over to TALOS, we can get a bit more information on these RATs including file Hashes, Coverage, IOCs, Registry Keys and so forth. In addition to these, we also need to know how to hunt for it and where to look. TALOS lists out the categories of MITRE ATT&CK TECHNIQUEs highlighted in Blue that we will look at. There are of course more than just these to consider. You can take these as a starting point and overlay other attack techniques to make a "profile" of what to look for later on.
MITRE ATT&CK TECHNIQUES of each RAT:
Gh0stRAT:
EXECUTION - command-line interface, services execution,
PERSISTENCE - Registry run keys / startup folder, service registry permissions weakness
PRIVILEGE ESCALTION - extra window memory injection , process injection, service registry permissions weakness
DEFENSE EVASION - extra window memory injection, file deletion, indirect command execution, modify registry, obfuscated files or information, Process injection, web service
COMMAND AND CONTROL - web service
Remcos:
EXECUTION - command-line interface, scripting
PERSISTENCE - hooking, registry run keys / startup folder
PRIVILEGE ESCALTION - extra window memory injection, hooking, process injection
DEFENSE EVASION - extra window memory injection, file deletion, indirect command execution, obfuscated files or information, Process injection, scripting
CREDENTIAL ACCESS - hooking, input capture
DISCOVERY - process discovery
LATERAL MOVEMENT - remote file copy
COLLECTION - audio capture, input capture, screen capture, video capture
COMMAND AND CONTROL - failback channels, remote file copy
NetWire:
PERSISTENCE - Registry run keys / startup folder,
PRIVILEGE ESCALTION - extra window memory injection , process injection
DEFENSE EVASION - extra window memory injection, indirect command execution, obfuscated files or information, Process injection,
Taking a look at all threes profile we can see we have quite a bit of overlap in their MITRE ATT&CK techniques. Between just these three it would be worth looking at the following categories:
PERSISTENCE - registry run keys / start up folder
PRIVILEGE ESCALTION - extra window memory injection , process injection
DEFENSE EVASION - extra window memory injection, indirect command execution, obfuscated files or information, Process injection, file deletion.
Great! Now we have three different areas to start within the framework. Using the MITRE ATT&CK Software page we can look up these RATs and gather a more information on how each one behavior falls into these techniques. I've included links below to both the software and easy to read Navigator. I recommend you check out both and use MITRE's sources to further your research.
PERSISTENCE:
All three utilize this tactic by modifying the registry run keys or start up folder in order to maintain persistence on the system. Taking a look at the techniques used by each of these RATs we can see that they all install some new key and value into HKCU\Software\Microsoft\Windows\CurrentVersion\Run. [3][5][4]
Using just these two commands we already have sped up or investigation and have identified a specious process and file that we should take a look into. Maybe pulling this file can putting through ThreatGrid can yield useful information. Maybe we can take this file name a put it into SecureX to see if we can paint a bigger picture of what's going on. Using NGFW or ESAs we can see how this malware got in. Using this same method, we can use MITRE ATTACK to isolate what we are looking for and using public threat intelligence we can create filters for the remaining tactics and techniques.
In conclusion, we have seen how individual RATS behave and while they can be extremely different in their objectives if we pull back and take a look into how a RAT works, how we categorize its behaviors and tactics we can build a profile. Within that profile we can create a default set of quires that can be ran to quickly get an understanding of what's running on your endpoints. Having these profiles will help save your SOC time, increase efficacy, and reduce the complexity of threat hunting.
If it looks like a duck, quacks like a duck it’s probably obfuscated.
Sources:
[1] https://blog.talosintelligence.com/2020/07/threat-roundup-0724-0731.html 'Win.Dropper.Gh0stRAT-9111297-0'
[2] https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html 'Win.Trojan.Remcos-8699084-0 and Win.Packed.NetWire-8705629-0'
[3] https://attack.mitre.org/software/S0332/ 'Remcos'
[4] https://attack.mitre.org/software/S0032/ 'gh0st RAT'
[5] https://attack.mitre.org/software/S0198/ 'NETWIRE'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: