Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1999
Views
5
Helpful
0
Comments

Orbital Query Corner - Hunting RATs

dkrull
Cisco Employee
Cisco Employee

‎08-14-2020 11:09 AM - edited ‎02-11-2021 06:42 AM

04040402 transition to cloud collage 1.png


What's worse than a RAT? Multiple!

What is a RAT?

RATs are also known as Remote Access Trojans. They allow attackers to place backdoors on infected system. This gives them a foothold into your environment to further their attack to monitor keystrokes, collect video footage from webcams and upload/execute follow-on malware.

 

Now you suspect that there may be RAT in your network but are unsure of where or you want to keep an eye on things, but you have hundreds of Endpoints to check to make sure they are not infected. Where do you start? Using TALOS and Cisco Orbital, we can narrow down the list of commands you want to first run when hunting RATS.

Create A Profile:

So, before we start running Orbital commands or pour through the hundreds of available queries we should first create a baseline of what commands we should be running and what of those is actual helpful?  Let’s build a profile for what we are hunting and to get us moving, we are going to look at the behavior of a few different RATS:

 

  • Gh0stRAT [Win.Dropper.Gh0stRAT-9111297-0] is a fairly well-known RAT that has been out for quite some time. [1]
  • Remcos [Win.Trojan.Remcos-8699084-0]  is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [2][3]
  • NetWire [Win.Packed.NetWire-8705629-0] is an open-source tool that normally uses a “sales” themed dropper. [2][3]

 

In this particular situation we are going to model our criteria around these. Hopping on over to TALOS, we can get a bit more information on these RATs including file Hashes, Coverage, IOCs, Registry Keys and so forth. In addition to these, we also need to know how to hunt for it and where to look. TALOS lists out the categories of MITRE ATT&CK TECHNIQUEs highlighted in Blue that we will look at. There are of course more than just these to consider. You can take these as a starting point and overlay other attack techniques to make a "profile" of what to look for later on.

 

MITRE ATT&CK TECHNIQUES of each RAT:

 

Gh0stRAT:

EXECUTION - command-line interface, services execution,

PERSISTENCE - Registry run keys / startup folder, service registry permissions weakness

PRIVILEGE ESCALTION - extra window memory injection , process injection, service registry permissions weakness

DEFENSE EVASION - extra window memory injection, file deletion, indirect command execution, modify registry, obfuscated files or information, Process injection, web service

COMMAND AND CONTROL - web service

 

Remcos:

EXECUTION - command-line interface, scripting

PERSISTENCE - hooking, registry run keys / startup folder

PRIVILEGE ESCALTION - extra window memory injection, hooking, process injection

DEFENSE EVASION - extra window memory injection, file deletion, indirect command execution, obfuscated files or information, Process injection, scripting

CREDENTIAL ACCESS - hooking, input capture

DISCOVERY - process discovery

LATERAL MOVEMENT - remote file copy

COLLECTION - audio capture, input capture, screen capture, video capture

COMMAND AND CONTROL - failback channels, remote file copy

 

NetWire:

PERSISTENCE - Registry run keys / startup folder,

PRIVILEGE ESCALTION - extra window memory injection , process injection

DEFENSE EVASION - extra window memory injection, indirect command execution, obfuscated files or information, Process injection,

 

Taking a look at all threes profile we can see we have quite a bit of overlap in their MITRE ATT&CK techniques. Between just these three it would be worth looking at the following categories:

 

PERSISTENCE - registry run keys / start up folder

PRIVILEGE ESCALTION - extra window memory injection , process injection

DEFENSE EVASION - extra window memory injection, indirect command execution, obfuscated files or information, Process injection, file deletion.

 

Great! Now we have three different areas to start within the framework. Using the MITRE ATT&CK Software page we can look up these RATs and gather a more information on how each one behavior falls into these techniques.  I've included links below to both the software and easy to read Navigator. I recommend you check out both and use MITRE's sources to further your research.

 

Gh0st | ATT&CK Navigator

Remocs | ATT&CK Navigator

NetWire | ATT&CK Navigator

 

PERSISTENCE:
All three utilize  this tactic by modifying the registry run keys or start up folder in order to maintain persistence on the system. Taking a look at the techniques used by each of these RATs we can see that they all install some new key and value into HKCU\Software\Microsoft\Windows\CurrentVersion\Run. [3][5][4]

 

startup_items

  • This will return items that are set to boot at startup. What we really want to see here is the source which shows us the auto-run registry key value. Click on the hyperlink to learn more about startup_items in Orbital.
RAT 1.png

 

registry_parameterized_search

  • If we wanted to be more specific we can also run a free form search here. This time we will just need to know the specific registry location or if we want to pull a full list and parse this information to a database and pull any anomalies out. But of course, easier said than done. Click on the hyperlink to learn more about registry_parameterized_search in Orbital.
RAT2.png

 

Using just these two commands we already have sped up or investigation and have identified a specious process and file that we should take a look into. Maybe pulling this file can putting through ThreatGrid can yield useful information. Maybe we can take this file name a put it into SecureX to see if we can paint a bigger picture of what's going on. Using NGFW or ESAs we can see how this malware got in. Using this same method, we can use MITRE ATTACK to isolate what we are looking for and using public threat intelligence we can create filters for the remaining tactics and techniques.

 

Wrap Up

In conclusion, we have seen how individual RATS behave and while they can be extremely different in their objectives if we pull back and take a look into how a RAT works, how we categorize its behaviors and tactics we can build a profile. Within that profile we can create a default set of quires that can be ran to quickly get an understanding of what's running on your endpoints.  Having these profiles will help save your SOC time, increase efficacy, and reduce the complexity of threat hunting. 

 

If it looks like a duck, quacks like a duck it’s probably obfuscated.

 

Sources:

[1] https://blog.talosintelligence.com/2020/07/threat-roundup-0724-0731.html 'Win.Dropper.Gh0stRAT-9111297-0'

[2] https://blog.talosintelligence.com/2020/07/threat-roundup-0710-0717.html 'Win.Trojan.Remcos-8699084-0 and Win.Packed.NetWire-8705629-0'

[3] https://attack.mitre.org/software/S0332/ 'Remcos'

[4] https://attack.mitre.org/software/S0032/ 'gh0st RAT'

[5] https://attack.mitre.org/software/S0198/ 'NETWIRE'

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents