Today’s article is somewhat a continuation of Detection Content: Arkei Stealer since the author of the detection rule for Ave Maria RAT is the same, and both malicious tools have recently been actively spread using the Spamhaus Botnet. 

Ave Maria is a Remote Access Trojan that is often used by adversaries to take over the infected systems and enable them with remote control capabilities. The trojan was first observed being spread through malicious phishing campaigns in 2018 and its presence on infected systems has been on the rise ever since. The Ave Maria RAT is armed with more functions than the typical trojan spy. It uses UAC bypass and process tokens to elevate its privileges. Once it has done that, it will execute a PowerShell cmdlet to modify Windows Defender’s settings and exclude specific paths from being scanned in real time. 

The recently released Sigma rule by Lee Archinal enables security solutions to detect fresh instances of Ave Maria malware on Windows systems:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts