File Creation Related To RAT Clients
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
Sigma rule (View on GitHub)
1title: File Creation Related To RAT Clients
2id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
3status: experimental
4description: |
5 File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
6references:
7 - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
8 - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2024-12-19
11tags:
12 - attack.execution
13 - detection.emerging-threats
14logsource:
15 category: file_event
16 product: windows
17detection:
18 # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
19 # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
20 selection_required:
21 TargetFilename|contains: '\AppData\Roaming\'
22 selection_variants:
23 TargetFilename|contains:
24 - '\mydata\'
25 - '\datalogs\'
26 - '\hvnc\'
27 - '\dcrat\'
28 TargetFilename|endswith:
29 - '\datalogs.conf'
30 - '\hvnc.conf'
31 - '\dcrat.conf'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate software creating a file with the same name
35level: high
yaml
References
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2024-50623 Exploitation Attempt - Cleo
- Forest Blizzard APT - Process Creation Activity
- Kapeka Backdoor Loaded Via Rundll32.EXE