ValleyRAT Exploiting BYOVD
Valley RAT Detection
Query
//Valley RAT Detection (https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/)
// thx Maurice Fielenbach Blog Post which served as inspiration for this detection
DeviceRegistryEvents
| where ActionType == "RegistryValueSet" and RegistryValueName == "ImagePath"
//| where
| where RegistryKey matches regex @"HKEY_LOCAL_MACHINE\\SYSTEM\\(ControlSet.*|CurrentControlSet)\\Services\\"
| where RegistryValueData has_any ("%TEMP%", @"%LOCALAPPDATA%\Temp", @"C:\Windows\Temp", @"\AppData\Local\Temp", @"C:\ProgramData")
| where not(RegistryValueData
has_any (@"C:\ProgramData\Microsoft\Windows Defender\Platform\",
@"\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\"))About this query
Explanation
This KQL query is designed to detect a specific attack technique used in the Valley RAT campaign, which involves exploiting a "Bring Your Own Vulnerable Driver" (BYOVD) method. Here's a simplified summary of what the query does:
-
Purpose: The query aims to identify suspicious modifications to Windows services that could indicate an attacker is trying to gain persistence and high-level privileges on a system.
-
Detection Focus:
- Service Path Manipulation: It looks for changes to the
ImagePathregistry value, which specifies the file to execute when a service starts. - Suspicious Locations: The query flags services whose
ImagePathpoints to unusual directories, such as temporary folders or theC:\ProgramDatadirectory, instead of the typicalC:\Windows\System32\driversfolder where legitimate drivers are usually located.
- Service Path Manipulation: It looks for changes to the
-
Exclusions: To avoid false positives, the query excludes known legitimate processes, such as those related to Microsoft Defender, which might also write to these directories.
-
Risk: The query helps identify potential persistence and privilege escalation attempts by detecting untrusted or custom executables being used inappropriately.
-
Author and References: The query was authored by Benjamin Zulliger, and it references a blog post from HexaStrike that details the Valley RAT campaign.
Overall, this query is a security measure to detect and prevent attackers from using vulnerable drivers to bypass security controls and maintain unauthorized access to a system.
