Query Details

ValleyRAT Exploiting BYOVD

Valley RAT Detection

Query

//Valley RAT Detection (https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/)
// thx Maurice Fielenbach Blog Post which served as inspiration for this detection
DeviceRegistryEvents
| where ActionType == "RegistryValueSet" and RegistryValueName == "ImagePath"
//| where 
| where RegistryKey matches regex @"HKEY_LOCAL_MACHINE\\SYSTEM\\(ControlSet.*|CurrentControlSet)\\Services\\"
| where RegistryValueData has_any ("%TEMP%", @"%LOCALAPPDATA%\Temp", @"C:\Windows\Temp", @"\AppData\Local\Temp", @"C:\ProgramData")
| where not(RegistryValueData 
            has_any (@"C:\ProgramData\Microsoft\Windows Defender\Platform\",
                     @"\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\"))

About this query

Explanation

This KQL query is designed to detect a specific attack technique used in the Valley RAT campaign, which involves exploiting a "Bring Your Own Vulnerable Driver" (BYOVD) method. Here's a simplified summary of what the query does:

  1. Purpose: The query aims to identify suspicious modifications to Windows services that could indicate an attacker is trying to gain persistence and high-level privileges on a system.

  2. Detection Focus:

    • Service Path Manipulation: It looks for changes to the ImagePath registry value, which specifies the file to execute when a service starts.
    • Suspicious Locations: The query flags services whose ImagePath points to unusual directories, such as temporary folders or the C:\ProgramData directory, instead of the typical C:\Windows\System32\drivers folder where legitimate drivers are usually located.
  3. Exclusions: To avoid false positives, the query excludes known legitimate processes, such as those related to Microsoft Defender, which might also write to these directories.

  4. Risk: The query helps identify potential persistence and privilege escalation attempts by detecting untrusted or custom executables being used inappropriately.

  5. Author and References: The query was authored by Benjamin Zulliger, and it references a blog post from HexaStrike that details the Valley RAT campaign.

Overall, this query is a security measure to detect and prevent attackers from using vulnerable drivers to bypass security controls and maintain unauthorized access to a system.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 9, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsWindowsServicesImagePathKeyValueData

Operators

DeviceRegistryEvents|where==andmatches regexhas_anynot

Actions

GitHub