Hunting Malware

RATs

Used to gain remote access to a machine
Typically come with other AV and detection evasion techniques that make them different than other payloads
Typically uses a client-server model and comes with an interface for easy administration
Examples:
- Xeexe
- Quasar

Hunting Rats and C2 Servers

<RuleGroup name="" groupRelation="or">  
	<NetworkConnect onmatch="include">  
		<DestinationPort condition="is">1034</DestinationPort>  
		<DestinationPort condition="is">1604</DestinationPort>  
	</NetworkConnect>  
	<NetworkConnect onmatch="exclude">  
		<Image condition="image">OneDrive.exe</Image>  
		</NetworkConnect>  
</RuleGroup>

Hunting for Common Back Connect Ports with PowerShell

Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'

Hunting Malware

RATs

Used to gain remote access to a machine
Typically come with other AV and detection evasion techniques that make them different than other payloads
Typically uses a client-server model and comes with an interface for easy administration
Examples:
- Xeexe
- Quasar

Hunting Rats and C2 Servers

<RuleGroup name="" groupRelation="or">  
	<NetworkConnect onmatch="include">  
		<DestinationPort condition="is">1034</DestinationPort>  
		<DestinationPort condition="is">1604</DestinationPort>  
	</NetworkConnect>  
	<NetworkConnect onmatch="exclude">  
		<Image condition="image">OneDrive.exe</Image>  
		</NetworkConnect>  
</RuleGroup>

Hunting for Common Back Connect Ports with PowerShell

Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'

Hunting Malware

RATs

Hunting Rats and C2 Servers

Hunting for Common Back Connect Ports with PowerShell

Further Reading

Hunting Malware

RATs

Hunting Rats and C2 Servers

Hunting for Common Back Connect Ports with PowerShell

Further Reading