Training Scenario - Data Enumeration

Owned by Kyle Nehman
Last updated: Oct 19, 2022
3 min read

Group Name

Training Data - RAT Exfil (Quasar)

Scenario

In this training scenario, we will execute a RAT on the victim machine, and use it to enumerate the data on disk, with the goal of exfiltrating files.

While this is not a ransomware attack, the behaviors used by the RAT fall under the umbrella of the data extortion behaviors that Cyber Crucible detects. The response to the incident, and related data, look very similiar to that of the response to a ransomware payload, because to Cyber Crucible it’s all the same!

Identifying it

 

This executable looks a bit odd, but it’s in system32 and triggering repeated responses. Some more investigation is required to figure out what happened here. We can start by looking for child paths related to the response path.

 

Here we get some more evidence to the story. A user ran the client-build.exe from the desktop, which is the RAT dropper. Then it looks like it privilege escalates via an svchost. There are still some missing pieces to the puzzle, though. How do we know this is a RAT and not just something interacting with svchost?

 

This opens up a whole lot more visibility! Not only do we know for sure that some suspicious activity is going on, and what paths are related, but we know there’s persistence being created as well. And we even see that we’re dealing with Quasar, a well known RAT.

Quasar is a sophisticated RAT, and does most of its behavior from within its own executable, choosing to bring its own statically compiled libraries rather than using Windows' default utilities for many things. But even Quasar gets caught using things like schtasks.

Relevant documentation

  • Mitre T1566 - Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password.

  • Mitre T1091 - Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities.

  • Mitre T1204 - User execution, often gained via phishing, is the simplest way malware to begin execution.

  • Mitre T1547 - Malware may instruct Windows to execute malicious programs on boot or when a user logs in.

  • Mitre T1037 - Malware may instruct Windows to execute malicious scripts on boot or when a user logs in.

  • Mitre T1543 - Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection.