diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 049ae23f0e..036a01fc20 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -45,6 +45,7 @@ tags: - Living Off The Land - Azorult - Data Destruction + - Warzone RAT asset_type: Endpoint automated_detection_testing: passed confidence: 50 diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index f01508ffd4..ee0424a20e 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -26,6 +26,7 @@ tags: analytic_story: - IcedID - Qakbot + - Warzone RAT asset_type: Endpoint confidence: 100 impact: 70 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 59ed5543bc..cf58957157 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -61,6 +61,7 @@ tags: - Trickbot - Amadey - BlackByte Ransomware + - Warzone RAT asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 20019c2fcd..5df47acda1 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -30,6 +30,7 @@ tags: - XMRig - Windows Registry Abuse - Azorult + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 90 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 28ff767a07..0823d14c8f 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -33,6 +33,7 @@ tags: - AgentTesla - RedLine Stealer - FIN7 + - Warzone RAT asset_type: Endpoint confidence: 70 impact: 50 diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml index 6db52a07dc..25a7435abd 100644 --- a/detections/endpoint/office_application_drop_executable.yml +++ b/detections/endpoint/office_application_drop_executable.yml @@ -39,6 +39,7 @@ tags: - FIN7 - AgentTesla - CVE-2023-21716 Word RTF Heap Corruption + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml index 9e4f45b0fa..d9aaaf0f52 100644 --- a/detections/endpoint/office_product_spawn_cmd_process.yml +++ b/detections/endpoint/office_product_spawn_cmd_process.yml @@ -44,6 +44,7 @@ tags: - AgentTesla - CVE-2023-21716 Word RTF Heap Corruption - CVE-2023-36884 Office and Windows HTML RCE Vulnerability + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 70 diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index cc54072880..4c2dcda256 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -34,6 +34,7 @@ tags: - Data Destruction - WhisperGate - BlackByte Ransomware + - Warzone RAT asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index a58d983c17..92dfcaf521 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -34,6 +34,7 @@ tags: - Windows Defense Evasion Tactics - Data Destruction - WhisperGate + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 39d59f14ac..8e119c4e3c 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -68,6 +68,7 @@ tags: - Amadey - Sneaky Active Directory Persistence Tricks - BlackByte Ransomware + - Warzone RAT asset_type: Endpoint confidence: 95 impact: 80 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index fa4177a4db..93419d33fe 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -62,6 +62,7 @@ tags: - Trickbot - Amadey - BlackByte Ransomware + - Warzone RAT asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 1934c691fc..42d159f29f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -29,6 +29,7 @@ tags: analytic_story: - RedLine Stealer - Amadey + - Warzone RAT asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 1e40b0019c..df3f1faa77 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -29,6 +29,7 @@ tags: analytic_story: - RedLine Stealer - Amadey + - Warzone RAT asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index e32b32de0d..f002641c85 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -33,6 +33,7 @@ tags: - Windows Defense Evasion Tactics - Azorult - Qakbot + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index 49fe7b666d..ca1ced3fe6 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -40,6 +40,7 @@ tags: - IcedID - Azorult - Remcos + - Warzone RAT asset_type: Endpoint confidence: 50 impact: 80 diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 288d10dfa6..af80492f8f 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -40,6 +40,7 @@ tags: - IcedID - Azorult - Remcos + - Warzone RAT asset_type: Endpoint confidence: 80 impact: 50 diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index f5eb4114dc..efa9733bc9 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -32,6 +32,7 @@ tags: analytic_story: - Qakbot - Graceful Wipe Out Attack + - Warzone RAT asset_type: 80 confidence: 80 impact: 80 diff --git a/stories/warzone_rat.yml b/stories/warzone_rat.yml new file mode 100644 index 0000000000..f7e8d26400 --- /dev/null +++ b/stories/warzone_rat.yml @@ -0,0 +1,28 @@ +name: Warzone RAT +id: 8dc84752-f4da-4285-931c-bddd5c4d440b +version: 1 +date: '2023-07-26' +author: Teoderick Contreras, Splunk +description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities + that might related to warzone (ve maria) RAT. This analytic story looks for suspicious process execution, command-line activity, downloads, persistence, defense evasion and more. +narrative: Warzone RAT, also known as Ave Maria, is a sophisticated remote access trojan (RAT) that surfaced in January 2019. + Originally offered as malware-as-a-service (MaaS), it rapidly gained notoriety and became one of the most prominent malware strains by 2020. + Its exceptional capabilities in stealth and anti-analysis techniques make it a formidable threat in various campaigns, including those targeting sensitive geopolitical entities. + The malware's impact is particularly concerning as it has been associated with attacks aimed at compromising government employees and military personnel, + notably within India's National Informatics Centre (NIC). Its deployment by several advanced persistent threat (APT) groups further underlines its potency and adaptability in the hands of skilled threat actors. + Warzone RAT's capabilities enable attackers to gain unauthorized access to targeted systems, facilitating data theft, surveillance, + and the potential to wreak havoc on critical infrastructures. As the threat landscape continues to evolve, vigilance and robust cybersecurity measures are crucial in defending against such malicious tools." + This version provides more context and elaborates on the malware's capabilities and potential impact. Additionally, it emphasizes the importance of cybersecurity measures to combat such threats effectively. +references: +- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/warzone#:~:text=Warzone%20RAT%20(AKA%20Ave%20Maria)%20is%20a%20remote%20access%20trojan,is%20as%20an%20information%20stealer. +- https://tccontre.blogspot.com/2020/02/2-birds-in-one-stone-ave-maria-wshrat.html +tags: + analytic_story: Warzone RAT + category: + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection