MICROSOFT SENTINEL | MALWARE
Malware Family KQL Queries — Week of 2023–07–17
Oh, RATs!
Welcome to another week of our series of KQL queries and indicators for malware families! Last week we ran a LinkedIn poll to gauge the interest in types of malware that threat intel teams are most interested in.
And the winner is…RATs! 🐀
njRAT
We decided to pick njRAT as the trojan of choice. njRAT, also known as Bladabindi, is a .NET RAT (Remote Access Trojan) that allows attackers to take control of an infected machine. njRAT has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has the capability to create and configure the malware to spread through USB drives.
To help demonstrate the queries we’ve generated this week, I set up a throwaway VM and deployed njRAT. I also ensured the proper logging policies were enabled, and installed Sysmon and Microsoft Defender for Endpoint (turning off most protections and excluding the malware samples).
njRAT and other infostealers change rapidly. Keep up the pace by checking out the ReversingLabs content pack for Microsoft Sentinel and TitaniumCloud Enrichment APIs to give your analysts the fastest context surrounding file hash indicators:
Techniques
Due to the nature of njRAT and how info stealer malware generally works, typical indicators of compromise such as IP addresses and domain names are limited. Instead, check out the following MITRE ATT&CK techniques used by njRAT:
T1056: Input Capture
njRAT will act as a keylogger and capture keystrokes. Monitoring for this activity is limited without tools that hook into the Windows API. Luckily this can be accomplished with Microsoft Defender for Endpoint (Note that this will automatically be flagged as a Low severity alert by MDE). Querying the DeviceEvents table allows us to look for “GetAsyncKeyStateApiCall”:
DeviceEvents
| where ActionType == "GetAsyncKeyStateApiCall"T1562: Impair Defenses
To help facilitate C2 functionality, njRAT will modify the Windows Firewall to permit all traffic from the malware file. Look for changes using netsh and allowed programs with unusual locations, such as in %APPDATA%or in a user’s downloads folder:
// description: njRAT process execution indicators for 20230717
SecurityEvent
| where EventID == 4688
| where NewProcessName contains "netsh.exe"
| where CommandLine contains "netsh firewall add allowedprogram" and (CommandLine contains "\\AppData\\Local" or CommandLine contains "\\AppData\\Roaming" or CommandLine matches regex @'.*C:\\Users\\.*\\Downloads\\.*')
| union (DeviceProcessEvents
| where FileName contains "netsh.exe"
| where ProcessCommandLine contains "netsh firewall add allowedprogram" and (ProcessCommandLine contains "\\AppData\\Local" or ProcessCommandLine contains "\\AppData\\Roaming" or ProcessCommandLine matches regex @'.*C:\\Users\\.*\\Downloads\\.*')),
(SysmonParser
| where EventID == 1
| where OriginalFileName == "netsh.exe"
| where CommandLine contains "netsh firewall add allowedprogram" and (CommandLine contains "\\AppData\\Local" or CommandLine contains "\\AppData\\Roaming" or CommandLine matches regex @'.*C:\\Users\\.*\\Downloads\\.*')),
(DeviceEvents
| where ActionType == "GetAsyncKeyStateApiCall")T1568: Dynamic Resolution
One of the interesting aspects of njRAT is the reliance on public dynamic DNS services for command and control functions. Unless your organization uses these services, it’s worth setting up an analytics rule looking for outbound traffic to these services with some of the common port numbers found in the malware configuration:
// description: njRAT network indicators for 20230717
CommonSecurityLog
| where DestinationHostName has_any ('.duckdns.org','.ngrok.io', '.ddns.net', '.ply.gg', '.linkpc.net')
and DestinationPort in (1515, 5552, 6666, 16261, 16694, 25565, 54892)
| union (
SysmonParser
| where EventID == 3
| where ipv4_is_private(DestinationIp) == false
| where DestinationPort in (1515, 5552, 6666, 16261, 16694, 25565, 54892)
| join (SysmonParser
| where EventID == 22
| where QueryName has_any ('.duckdns.org','.ngrok.io', '.ddns.net', '.ply.gg', '.linkpc.net')
| extend IpResult = extract(@'([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})', 1, QueryResults)
) on $left.DestinationIp == $right.IpResult
)Conclusion
njRAT is one of the most accessible RATs in use by threat actors. For all of the queries demonstrated in this post, check out our GitHub repo here:
