Threat Hunting Rules: Ave Maria RAT

Today’s article is somewhat a continuation of Detection Content: Arkei Stealer since the author of the detection rule for Ave Maria RAT is the same, and both malicious tools have recently been actively spread using the Spamhaus Botnet. 

Ave Maria is a Remote Access Trojan that is often used by adversaries to take over the infected systems and enable them with remote control capabilities. The trojan was first observed being spread through malicious phishing campaigns in 2018 and its presence on infected systems has been on the rise ever since. The Ave Maria RAT is armed with more functions than the typical trojan spy. It uses UAC bypass and process tokens to elevate its privileges. Once it has done that, it will execute a PowerShell cmdlet to modify Windows Defender’s settings and exclude specific paths from being scanned in real time. 

The recently released Sigma rule by Lee Archinal enables security solutions to detect fresh instances of Ave Maria malware on Windows systems: https://tdm.socprime.com/tdm/info/ZGLAAj2QfLbS/vhcCvnMBPeJ4_8xc3FVl/?p=1

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Persistence

Techniques: Registry Run Keys / Startup Folder (T1060)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.