Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Profero IRT identified a .NET 8 backdoor named WindowsAudit.exe that relies on Discord as its main command-and-control channel, while also supporting MQTT and Telegram as fallback communication paths. The malware operates as a Windows service, creates a backup copy of itself, establishes multiple persistence mechanisms, and carries out credential theft, Active Directory abuse, and defense-evasion activity. It also sets up WireGuard tunnels to support covert lateral movement within the environment. The overall tradecraft suggests the attackers may be preparing affected networks for a later ransomware stage.
Investigation
Investigators obtained the WindowsAudit binary, confirmed it was a modular C# remote access trojan, and reverse engineered its embedded DLL component. Their analysis detailed the malware’s persistence techniques, communication architecture, credential-dumping capabilities, and evasion methods, including AMSI and ETW patching. The team also examined a related dropper called WinSATSvc, which appeared designed to restore the malware if removed. From this work, researchers extracted a set of indicators of compromise to support hunting and detection.
Mitigation
Recommended detections include monitoring for creation of the WindowsAudit service, the associated Run key entries, the Global\WindowsAuditSingleInstance mutex, and suspicious Add-MpPreference executions. Defenders should also block or alert on TLS traffic to Discord and HiveMQ infrastructure, while watching for bcdedit safe-boot changes and suspicious scheduled task creation. Any WireGuard tunnel configuration tied to the malware should be removed, and all persistence mechanisms established by the backdoor should be disabled.
Response
Organizations should immediately hunt for the published indicators of compromise, isolate affected systems, and stop the WindowsAudit service. Memory and disk images should be collected for forensic review, malicious binaries should be removed, and any compromised credentials should be reset. Security teams should also verify that unauthorized EDR exclusions have been removed, confirm that Safe Mode configuration changes have been reversed, and continue monitoring for reinstallation or recreation of the malware components.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#99ff99 classDef operator fill:#ff9900 %% Nodes u2013 Techniques and Tools exploit_remote_services["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/>Copy malicious binary to remote hosts via SMB and start it with sc.exe"] class exploit_remote_services technique lateral_smb["<b>Technique</b> – <b>T1080 Lateral Movement via Shared Content</b><br/>Spread using SMB shares and execute remote commands"] class lateral_smb technique wmi_event_sub["<b>Technique</b> – <b>T1546.003 Windows Management Instrumentation Event Subscription</b><br/>Register WMI event that triggers payload for persistence"] class wmi_event_sub technique scheduled_task["<b>Technique</b> – <b>T1053 Scheduled Task/Job</b><br/>Create task that runs in Safe Mode to remove EDR and reu2011arm malware after reboot"] class scheduled_task technique defender_exclusion["<b>Technique</b> – <b>T1564.012 Hide Artifacts: File Path Exclusions</b><br/>Add Windows Defender exclusion for install path and executable"] class defender_exclusion technique safe_mode_boot["<b>Technique</b> – <b>T1562.009 Safe Mode Boot</b><br/>Boot into Safe Mode to reinstall components"] class safe_mode_boot technique vpn_proxy["<b>Technique</b> – <b>T1090 Proxy</b> and <b>T1572 Protocol Tunneling</b><br/>Deploy WireGuard VPN and SOCKS5 proxy to tunnel traffic"] class vpn_proxy technique c2_discord["<b>Technique</b> – <b>T1102.002 Web Service: Discord</b><br/>Use Discord as primary command and control channel"] class c2_discord technique c2_mqtt["<b>Technique</b> – <b>T1102 Web Service (MQTT)</b><br/>Secondary C2 via MQTT broker"] class c2_mqtt technique c2_fallback["<b>Technique</b> – <b>T1008 Fallback Channels</b><br/>Switch to MQTT or Telegram when Discord unavailable"] class c2_fallback technique rat["<b>Malware</b> – Remote Access Tool (RAT)"] class rat malware os_cred_dump["<b>Technique</b> – <b>T1003 OS Credential Dumping</b><br/>Dump LSASS memory with MiniDumpWriteDump"] class os_cred_dump technique shadow_copy["<b>Technique</b> – <b>T1003.007 Volume Shadow Copy</b><br/>Extract SAM and SYSTEM hives via shadow copies"] class shadow_copy technique browser_passwords["<b>Technique</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Decrypt saved passwords using DPAPI"] class browser_passwords technique cred_manager["<b>Technique</b> – <b>T1555.004 Credentials from Windows Credential Manager</b><br/>Extract stored credentials"] class cred_manager technique golden_ticket["<b>Technique</b> – <b>T1558.001 Golden Ticket</b><br/>Create forged Kerberos TGT for domain admin"] class golden_ticket technique silver_ticket["<b>Technique</b> – <b>T1558.002 Silver Ticket</b><br/>Forge service tickets for targeted services"] class silver_ticket technique pass_hash["<b>Technique</b> – <b>T1550.002 Pass the Hash</b><br/>Reuse NTLM hash to authenticate"] class pass_hash technique pass_ticket["<b>Technique</b> – <b>T1550.003 Pass the Ticket</b><br/>Reuse Kerberos ticket for lateral movement"] class pass_ticket technique dc_sync["<b>Technique</b> – <b>T1003.006 DCSync</b><br/>Force domain controller to replicate password data"] class dc_sync technique dc_auth["<b>Technique</b> – <b>T1556.001 Domain Controller Authentication</b><br/>Modify authentication process on DC"] class dc_auth technique process_hollowing["<b>Technique</b> – <b>T1055.012 Process Hollowing</b><br/>Inject code into elevated process"] class process_hollowing technique apc_injection["<b>Technique</b> – <b>T1055.004 Asynchronous Procedure Call</b><br/>Inject code via APC"] class apc_injection technique clear_event_logs["<b>Technique</b> – <b>T1070.001 Clear Windows Event Logs</b><br/>Remove evidence of activity"] class clear_event_logs technique screen_capture["<b>Technique</b> – <b>T1113 Screen Capture</b><br/>Capture screenshots"] class screen_capture technique video_capture["<b>Technique</b> – <b>T1125 Video Capture</b><br/>Record video of desktop"] class video_capture technique audio_capture["<b>Technique</b> – <b>T1123 Audio Capture</b><br/>Record microphone audio"] class audio_capture technique keylogging["<b>Technique</b> – <b>T1056.001 Keylogging</b><br/>Capture keystrokes"] class keylogging technique exfil_discord["<b>Technique</b> – <b>T1041 Exfiltration Over Command and Control Channel</b><br/>Upload data as Discord attachments"] class exfil_discord technique exfil_mqtt["<b>Technique</b> – <b>T1041 Exfiltration Over Command and Control Channel</b><br/>Send data via MQTT messages"] class exfil_mqtt technique %% Logical operators (optional) op_and1(("AND")) class op_and1 operator %% Connections u2013 Attack Flow exploit_remote_services –>|copies binary via SMB| lateral_smb lateral_smb –>|executes remote command with sc.exe| wmi_event_sub wmi_event_sub –>|provides persistence| scheduled_task scheduled_task –>|runs in safe mode| safe_mode_boot safe_mode_boot –>|reu2011arms malware| vpn_proxy vpn_proxy –>|tunnels traffic| c2_discord c2_discord –>|primary C2 channel| rat rat –>|collects credentials| os_cred_dump os_cred_dump –>|gets LSASS dump| shadow_copy os_cred_dump –>|feeds| browser_passwords os_cred_dump –>|feeds| cred_manager os_cred_dump –>|enables| golden_ticket os_cred_dump –>|enables| silver_ticket golden_ticket –>|provides domain admin access| pass_hash silver_ticket –>|provides service access| pass_ticket rat –>|uses| pass_hash rat –>|uses| pass_ticket rat –>|uses| dc_sync rat –>|uses| dc_auth rat –>|elevates via| process_hollowing rat –>|elevates via| apc_injection rat –>|clears logs| clear_event_logs rat –>|captures| screen_capture rat –>|captures| video_capture rat –>|captures| audio_capture rat –>|captures| keylogging screen_capture –>|exfiltrates via| exfil_discord video_capture –>|exfiltrates via| exfil_discord audio_capture –>|exfiltrates via| exfil_discord keylogging –>|exfiltrates via| exfil_discord exfil_discord –>|fallback to| exfil_mqtt c2_discord –>|fallback to| c2_fallback c2_fallback –>|uses| c2_mqtt c2_mqtt –>|receives exfiltrated data| exfil_mqtt "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Bcdedit Execution (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Possible Abuse Discord as a C2 Channel (via dns_query)
View
Detection of WindowsAudit RAT Single Instance Mutex [Windows Sysmon]
View
WindowsAudit Backdoor Command and Control Communication [Windows Network Connection]
View
Detection of WindowsAudit Backdoor and Associated Activities [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker has deployed the WindowsAudit backdoor on the victim host. To retrieve commands, the backdoor performs DNS lookups to the Discord CDN (gateway.discord.gg) and to a malicious MQTT broker hosted on*.hivemq.cloud. These lookups are issued via native Windows APIs (no external tools) to stay low‑profile. The DNS queries are the sole observable artifact used by the Sigma rule for detection. -
Regression Test Script:
# WindowsAudit C2 DNS beacon simulation # Generates the exact DNS queries the Sigma rule watches for. $c2Endpoints = @( "gateway.discord.gg", "malicious1.hivemq.cloud", "malicious2.hivemq.cloud" ) foreach ($fqdn in $c2Endpoints) { try { # Use the native Windows DNS resolver Resolve-DnsName -Name $fqdn -Type A -ErrorAction Stop | Out-Null Write-Host "[+] Queried $fqdn" } catch { Write-Warning "Failed to resolve $fqdn (simulated C2)" } Start-Sleep -Seconds 5 # mimic realistic beacon interval } -
Cleanup Commands:
# Flush the DNS cache to remove traces of the simulated queries ipconfig /flushdns Write-Host "[*] DNS cache cleared."