Crowdstrike and Windows defender for the NonEuclid RAT

The NonEuclid Remote Access Trojan (RAT) is a sophisticated malware developed in C# that offers unauthorized remote access to compromised Windows systems. It employs advanced evasion techniques, including antivirus bypass, privilege escalation, anti-detection mechanisms, and ransomware encryption targeting critical files.

The Hacker News

To detect and hunt for NonEuclid RAT using CrowdStrike Falcon and Microsoft Defender for Endpoint, consider the following strategies:

1. Understanding NonEuclid RAT Behavior:

NonEuclid RAT exhibits specific behaviors that can be monitored:

  • Antivirus Exclusions: It configures Microsoft Defender Antivirus exclusions to prevent detection.
  • Process Monitoring: The RAT monitors processes like taskmgr.exe, processhacker.exe, and procexp.exe to detect analysis tools.
  • Persistence Mechanisms: It achieves persistence through scheduled tasks and Windows Registry modifications.
  • Privilege Escalation: Employs User Account Control (UAC) bypass techniques for privilege escalation.
  • Ransomware Capabilities: Encrypts files with specific extensions (e.g., .csv, .txt, .php) and appends the .NonEuclid extension.

2. Hunting with CrowdStrike Falcon:

CrowdStrike Falcon provides a powerful query language for threat hunting. To detect behaviors associated with NonEuclid RAT, you can craft specific queries:

Detecting Antivirus Exclusions:

EventSearch event_simpleName=RegistryModificationEvent | filter RegistryKeyName="*\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\*" | table Timestamp, ComputerName, UserName, RegistryKeyName, RegistryValueName, RegistryValueData

This query identifies modifications to Windows Defender exclusion settings.

Monitoring Process Activity:

EventSearch event_simpleName=ProcessRollup2 | filter (FileName="taskmgr.exe" OR FileName="processhacker.exe" OR FileName="procexp.exe") | table Timestamp, ComputerName, UserName, FileName, CommandLine

This query monitors the execution of specific process analysis tools.

Identifying Persistence via Scheduled Tasks:

EventSearch event_simpleName=ScheduledTaskCreated | table Timestamp, ComputerName, UserName, TaskName, TaskContent

This query lists newly created scheduled tasks, which may indicate persistence mechanisms.

Detecting Registry Persistence:

EventSearch event_simpleName=RegistryModificationEvent | filter RegistryKeyName="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*" | table Timestamp, ComputerName, UserName, RegistryKeyName, RegistryValueName, RegistryValueData

This query detects modifications to the Run keys in the registry, commonly used for persistence.

Monitoring UAC Bypass Attempts:

EventSearch event_simpleName=ProcessRollup2 | filter (CommandLine="*eventvwr.msc*" OR CommandLine="*fodhelper.exe*") | table Timestamp, ComputerName, UserName, FileName, CommandLine

This query identifies processes commonly used in UAC bypass techniques.

3. Hunting with Microsoft Defender for Endpoint:

In Microsoft Defender for Endpoint, you can use Advanced Hunting queries to detect similar behaviors:

Detecting Antivirus Exclusions:

DeviceRegistryEvents | where RegistryKey has @"SOFTWARE\Microsoft\Windows Defender\Exclusions" | project Timestamp, DeviceName, UserName, RegistryKey, RegistryValueName, RegistryValueData

This query identifies changes to Defender exclusion settings.

Monitoring Process Activity:

DeviceProcessEvents | where FileName in ("taskmgr.exe", "processhacker.exe", "procexp.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

This query monitors the execution of specified process analysis tools.

Identifying Persistence via Scheduled Tasks:

DeviceProcessEvents | where ProcessCommandLine contains "schtasks" | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

This query detects the creation of scheduled tasks via the schtasks command.

Detecting Registry Persistence:

DeviceRegistryEvents | where RegistryKey has @"Software\Microsoft\Windows\CurrentVersion\Run" | project Timestamp, DeviceName, UserName, RegistryKey, RegistryValueName, RegistryValueData

This query identifies modifications to the Run keys in the registry.

Monitoring UAC Bypass Attempts:

DeviceProcessEvents | where ProcessCommandLine contains "eventvwr.msc" or ProcessCommandLine contains "fodhelper.exe" | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

This query detects potential UAC bypass attempts using specific executables.

Additional Resources:

For more detailed information on NonEuclid RAT and its behaviors, refer to the following resources:

  • CYFIRMA Research on NonEuclid RAT: Provides an in-depth analysis of the RAT’s capabilities and indicators of compromise. Cyfirma
  • The Hacker News Article: Offers insights into the RAT’s evasion techniques and distribution methods. The Hacker News

By utilizing these queries and resources, we can enhance your threat-hunting efforts to detect and mitigate