CtrlK

Hunting Malware

RATs

Used to gain remote access to a machine
Typically come with other AV and detection evasion techniques that make them different than other payloads
Typically uses a client-server model and comes with an interface for easy administration
Examples:
- Xeexe
- Quasar

Hunting Rats and C2 Servers

<RuleGroup name="" groupRelation="or">  
	<NetworkConnect onmatch="include">  
		<DestinationPort condition="is">1034</DestinationPort>  
		<DestinationPort condition="is">1604</DestinationPort>  
	</NetworkConnect>  
	<NetworkConnect onmatch="exclude">  
		<Image condition="image">OneDrive.exe</Image>  
		</NetworkConnect>  
</RuleGroup>

Hunting for Common Back Connect Ports with PowerShell

Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'

Further Reading

PreviousDetecting Mimikatz NextHunting Metasploit

Last updated 1 year ago