StrRAT-Malware-Persistence

Hunt Hypothesis

The StrRAT-Malware-Persistence rule detects potential adversary persistence mechanisms by identifying suspicious Java-based remote access tool activity that could indicate long-term system control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate StrRAT infections before they lead to data exfiltration or further lateral movement.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName in~("java.exe","javaw.exe")
| where FileName == 'cmd.exe' and ProcessCommandLine has_all("schtasks /create", "tn Skype")

Analytic Rule Definition

id: fa9ef60d-4025-490b-94bd-5bff2aa3b4a7
name: StrRAT-Malware-Persistence
description: |
  StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and take remote control of infected systems. It also has a module to download additional payload onto to the infected machine based on C2 server command. Additionally, this threat also has a ransomware encryption/decryption module which appends .crimson extension.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Persistence
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName in~("java.exe","javaw.exe")
  | where FileName == 'cmd.exe' and ProcessCommandLine has_all("schtasks /create", "tn Skype")

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Persistence

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/StrRAT malware/StrRAT-Malware-Persistence.yaml)

False Positive Guidance

Scenario: Scheduled system maintenance task using schtasks.exe
Filter/Exclusion: Check for CommandLine containing schtasks.exe /create /tn "MaintenanceTask" /tr "C:\Windows\System32\svchost.exe" /sc daily
Rationale: Legitimate scheduled tasks may use similar command-line arguments to create or manage jobs, which could trigger the rule.
Scenario: Java-based application deployment using java -jar
Filter/Exclusion: Check for CommandLine containing java -jar "C:\Program Files\MyApp\app.jar"
Rationale: Enterprise applications often use Java for deployment, and the presence of .jar files in known application directories may be falsely flagged.
Scenario: Admin task to configure Windows services using sc.exe
Filter/Exclusion: Check for CommandLine containing sc.exe create "MyService" binPath= "C:\Windows\System32\svchost.exe"
Rationale: System administrators frequently use sc.exe to manage services, which may resemble malicious persistence techniques.
Scenario: Log file rotation using logrotate on Linux
Filter/Exclusion: Check for CommandLine containing /usr/sbin/logrotate /etc/logrotate.conf
Rationale: Log rotation tools like logrotate may execute scripts that could be mistaken for malicious activity.
Scenario: Antivirus or endpoint protection tool updating its database
Filter/Exclusion: Check for CommandLine containing C:\Program Files\Bitdefender\BitdefenderApplication.exe --update
Rationale: Legitimate security tools often perform updates that may involve downloading files or executing scripts, which could be flagged by the rule.