Scenario
In this training scenario, we will execute a RAT on the victim machine, and use it to enumerate the data on disk, with the goal of exfiltrating files.
While this is not a ransomware attack, the behaviors used by the RAT fall under the umbrella of the data extortion behaviors that Cyber Crucible detects. The response to the incident, and related data, look very similiar to that of the response to a ransomware payload, because to Cyber Crucible it’s all the same!
Identifying it
This executable looks a bit odd, but it’s in system32 and triggering repeated responses. Some more investigation is required to figure out what happened here. We can start by looking for child paths related to the response path.
Here we get some more evidence to the story. A user ran the client-build.exe from the desktop, which is the RAT dropper. Then it looks like it privilege escalates via an svchost. There are still some missing pieces to the puzzle, though. How do we know this is a RAT and not just something interacting with svchost?
This opens up a whole lot more visibility! Not only do we know for sure that some suspicious activity is going on, and what paths are related, but we know there’s persistence being created as well. And we even see that we’re dealing with Quasar, a well known RAT.
Quasar is a sophisticated RAT, and does most of its behavior from within its own executable, choosing to bring its own statically compiled libraries rather than using Windows' default utilities for many things. But even Quasar gets caught using things like schtasks.