Key Highlights
ValleyRAT Analytic Story: This update introduces comprehensive detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. The story includes new detections focusing on impairing defenses, modifying system registries, and exploiting privilege escalation mechanisms. Key detections cover tactics such as disabling antivirus via registry modifications, setting Windows Defender exclusions, and UAC bypass techniques like FodHelper and Eventvwr. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior, fortifying defenses against ValleyRAT C2 activity and privilege abuse attempts.
Total New and Updated Content: [16]
New Analytic Story - [1]
Updated Analytic Story - [0]
New Analytics - [6]
Windows Impair Defenses Disable AV AutoStart via Registry
Windows Modify Registry Utilize ProgIDs
Windows Modify Registry ValleyRAT C2 Config
Windows Modify Registry ValleyRat PWN Reg Entry
Windows Schedule Task DLL Module Loaded
Windows Schedule Tasks for CompMgmtLauncher or Eventvwr
Updated Analytics - [9]
Add or Set Windows Defender Exclusion
CMLUA Or CMSTPLUA UAC Bypass
Eventvwr UAC Bypass
Executables Or Script Creation In Suspicious Path
FodHelper UAC Bypass
Suspicious Process File Path
WinEvent Windows Task Scheduler Event Action Started
Windows Access Token Manipulation SeDebugPrivilege
Windows Defender Exclusion Registry Entry