Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
CrySome RAT is a .NET remote access trojan that enables full remote control, credential theft, and layered persistence. It includes an AVKiller component designed to disable security tooling and uses recovery-partition abuse plus offline registry edits to survive resets and rebuild access. To maintain long-term footholds, the malware leverages hidden virtual desktops, watchdog processes, scheduled tasks, and Windows services, creating redundant execution paths that complicate cleanup.
Investigation
The report combines static decompilation of the C# client with dynamic behavior analysis. Investigators mapped modular components—such as SelfProtect, AVKiller, Survival, and command handlers—to distinct capabilities and control flows. Persistence was traced across scheduled tasks, RunOnce registry entries, service installation, and recovery-partition deployment used to re-seed artifacts after system recovery actions. Network behavior was identified as plain TCP command-and-control using a custom packet format.
Mitigation
Monitor for scheduled tasks named CrySomeLoader and services named WindowsHealthMonitor. Regularly audit RunOnce and other autorun registry locations for unknown or newly added entries. Block crysome.net and any associated IP infrastructure at DNS/proxy layers. Enforce tamper-protected security configurations to prevent AVKiller-style defense disablement and alert on attempts to change Defender or endpoint protection settings.
Response
Isolate hosts exhibiting CrySome indicators and collect volatile evidence before remediation. Perform forensic review of recovery partitions and offline registry hives to identify hidden persistence. Remove redundant binaries, delete the malicious scheduled tasks, services, and registry entries, and restore Microsoft Defender settings to a known-good baseline. Deploy EDR detections covering the specific process names and command-line patterns associated with CrySome execution.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Windows Defender Preferences Suspicious Changes (via powershell)
View
Possible Accessibility Features via Registry Abuse (via cmdline)
View
Possible Manual Service or Driver Install for Persistence (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
Possible Silent Process Exit Mechanism Utilisation (via registry_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
Disabling Windows Defender Protections (via registry_event)
View
Suspicious Ransomware Interfering Service Stoppage (via cmdline)
View
IOCs (HashSha256) to detect: CrySome RAT : An Advanced Persistent .NET Remote Access Trojan
View
Disable Microsoft Defender via PowerShell and Registry [Windows Powershell]
View
CrySome RAT Process Self-Protection Detection [Windows Sysmon]
View
CrySome RAT Persistence and Defense Evasion [Windows Registry Event]
View
Detection of CrySome RAT Defense Evasion Techniques [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The CrySome RAT operator first gains a foothold on the victim machine. To hide the malicious payload, the RAT spawns
conhost.exeas a child of its own process, leveraging the native console host to mask its command line. Next, it launchesRuntimeBroker.exeto blend in with legitimate Windows background tasks, achieving masquerading. Finally, the attacker runs a PowerShell one‑liner that disables Microsoft Defender real‑time protection, using theSet-MpPreferencecmdlet. Each step generates a distinct 4688 event that matches the detection rule.1. RAT process (e.g., CrySome.exe) → Start-Process -FilePath "C:WindowsSystem32conhost.exe" -ArgumentList "/c ..." 2. RAT process → Start-Process -FilePath "C:WindowsSystem32RuntimeBroker.exe" -ArgumentList "/TaskHost ..." 3. RAT process → powershell.exe -NoProfile -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true" -
Regression Test Script:
# ------------------------------------------------------------------------- # CrySome RAT technique simulation – intended to trigger the Sigma rule # ------------------------------------------------------------------------- # 1. Spawn conhost.exe (acts as a stealth console host) Start-Process -FilePath "$env:SystemRootSystem32conhost.exe" -ArgumentList "/c ping -n 5 127.0.0.1" -WindowStyle Hidden # 2. Spawn RuntimeBroker.exe (masquerading as a trusted Windows component) Start-Process -FilePath "$env:SystemRootSystem32RuntimeBroker.exe" -ArgumentList "/TaskHost" -WindowStyle Hidden # 3. Disable Defender using PowerShell (defense evasion) $psCmd = 'Set-MpPreference -DisableRealtimeMonitoring $true' Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" ` -ArgumentList "-NoProfile -WindowStyle Hidden -Command `$psCmd" ` -WindowStyle Hidden Write-Host "Simulation complete – check your SIEM for alerts." -
Cleanup Commands:
# Terminate any lingering test processes (run as Administrator) Get-Process -Name conhost, RuntimeBroker, powershell | Stop-Process -Force # Re‑enable Defender (restore normal defensive posture) Set-MpPreference -DisableRealtimeMonitoring $false Write-Host "Cleanup finished."