Nanocore RAT has been used in cyberattacks for about 7 years, and there are a huge number of modifications of this trojan. Official, “semi-official” and cracked versions of this malware are sold on forums on the DarkNet, and sometimes even given away for free, so it is not surprising that the number of attacks using it remains high. 

The design of Nanocore RAT is focused on ease-of-use means, so even unskilled adversaries can carry out full-fledged malicious campaigns. The trojan has a wide range of capabilities for espionage and remote control of the system, it provides full access to the infected system, and also allows adversaries to record audio and video, perform keylogging, collect credentials and other personal information.

NanoCore RAT comes with base plugins that expand the performance capability of the malware and allow threat actors to do just about anything they want to once they gain complete, anonymous control over infected systems. 

The exclusive Sigma rule “NanoCore detection” is one of the very first contributions of Aytek Aytemur who has recently joined the Threat Bounty Program:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Execution, Persistence, Privilege Escalation

Techniques: Scheduled Task (T1053)



Check more content by Threat Bounty Program developers to spot NanoCore:

NanoCore Rat Detection (Persistence via schtasks) by Emir Erdogan


Nanocore behavior (Powershell Detection) by Ariel Millahuel

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts