KQL Search

Query Details

HomeAI ToolsDevice Query

ANYRUN Obfuscated BAT Dropper Delivers Net Support RAT Post

Query

// ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post
// https://www.linkedin.com/posts/any-run_obfuscated-virustotal-powershell-activity-7336393368698028034-cayg/

let QueryLookup = 1h;
let ObfuscatedBAT =
DeviceProcessEvents
| where Timestamp > ago(QueryLookup)
| where InitiatingProcessFileName =~ "cmd.exe" and 
InitiatingProcessCommandLine has ".bat"
| where FileName =~ "powershell.exe" and 
ProcessCommandLine has "-WindowsStyle Hidden" and 
ProcessCommandLine has "Invoke-WebRequest"
| distinct DeviceName;
DeviceRegistryEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| where RegistryValueData has "client32.exe"
| where DeviceName has_any(ObfuscatedBAT)

Explanation

This query is designed to detect a specific type of malicious activity on devices within the last hour. Here's a simplified breakdown of what it does:

  1. Identify Suspicious Processes:

    • It looks for processes initiated by "cmd.exe" that involve a batch file (".bat").
    • It further filters these processes to find instances where "powershell.exe" is used with specific command line arguments:
      • "-WindowsStyle Hidden" (indicating the process runs without a visible window).
      • "Invoke-WebRequest" (suggesting a network request is made, often used in downloading or executing scripts).

  2. Track Registry Changes:

    • It checks for registry changes within the same time frame, specifically looking for modifications in the registry key path associated with programs that run at startup.
    • It searches for entries where "client32.exe" is set to run at startup, which could indicate persistence mechanisms of malware.

  3. Cross-Reference Devices:

    • The query cross-references devices identified in the first step (running the suspicious batch and PowerShell commands) with those making the registry changes.

Overall, this query aims to detect devices that might be compromised by an obfuscated batch script that downloads and potentially installs a remote access tool (RAT) like NetSupport, by observing both process execution patterns and registry modifications.

Details

Steven Lim profile picture

Steven Lim

Released: June 6, 2025

Tables

DeviceProcessEventsDeviceRegistryEvents

Keywords

DeviceProcessEvents DeviceRegistryEvents Timestamp InitiatingProcessFileName InitiatingProcessCommandLine FileName ProcessCommandLine DeviceName ActionType RegistryKey RegistryValueData

Operators

let=>ago()=~andhasdistinct==has_any()

Actions