KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Non Euclid RAT

Query

// π—‘π—Όπ—»π—˜π˜‚π—°π—Ήπ—Άπ—± π—₯𝗔𝗧
// https://www.cyfirma.com/research/noneuclid-rat/
// NonEuclid Remote Access Trojan (RAT) is a powerful malware designed for unauthorized remote access and control of computers. Developed using C# for the .NET Framework 4.8, it employs advanced evasion techniques such as antivirus bypass, privilege escalation, anti-detection, and ransomware encryption. Its stealth, dynamic DLL loading, anti-VM checks, and AES encryption have made it popular among cybercriminals.

// Currently, the IOC hash for NonEuclid.exe and Client.exe shows zero detections on VirusTotal and no global prevalence. Defenders should begin searching for the file hash and use KQL to detect file renames to the β€œ.NonEuclid” extension. (Threat intelligence report in comment section)

// You may need to do a one time exclusion of your corporate developed exe running as a task, after that you should catch the πŸ€ 🀣

// KQL Code:

let WhitelistExe = dynamic(["Iamclean.exe"]);
let MaliciousLPExe =
DeviceFileEvents
| where isnotempty(SHA1)
| where ActionType == @"FileCreated" and FileName endswith ".exe"
| invoke FileProfile("SHA1",1000)
| where GlobalPrevalence < 50
| distinct FileName;
DeviceEvents
| where ActionType == @"ScheduledTaskCreated"
| where AdditionalFields has_any(MaliciousLPExe)
| where not (AdditionalFields has_any(WhitelistExe))

Explanation

This KQL (Kusto Query Language) query is designed to help detect potentially malicious executable files, specifically focusing on the NonEuclid Remote Access Trojan (RAT). Here's a simplified breakdown of what the query does:

  1. Whitelist Definition: It defines a list of known safe executable files, in this case, just one file named "Iamclean.exe". This is used to exclude legitimate files from being flagged as malicious.

  2. Identify Low-Prevalence Executables:

    • It searches for events where executable files (with a ".exe" extension) are created on devices.
    • It checks the SHA1 hash of these files to see if they are known to VirusTotal, a service that aggregates antivirus scan results.
    • It filters out files that have a low global prevalence (less than 50), meaning they are not widely recognized or used, which could indicate they are suspicious or new malware.

  3. Detect Scheduled Tasks:

    • It looks for events where a scheduled task is created on a device.
    • It checks if any of the low-prevalence executables identified earlier are involved in these scheduled tasks.
    • It ensures that none of these tasks involve the whitelisted executable files.

The goal of this query is to help security teams identify and investigate potentially malicious activities related to the NonEuclid RAT by focusing on unusual executable files and their use in scheduled tasks, while excluding known safe files from consideration.

Details

Steven Lim profile picture

Steven Lim

Released: January 10, 2025

Tables

DeviceFileEventsDeviceEvents

Keywords

DeviceFileEventsDeviceEvents

Operators

letdynamicisnotemptywhereandendswithinvokedistincthas_anynot

Actions