Query Details

Threat Hunting Nighthawk RAT

IOC Nighthawk Rat

Query

let NighthawkRat = dynamic(['0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988', '9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8', '38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf', 'f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e', 'b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94']);
DeviceFileEvents
| where SHA256 in (NighthawkRat)
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

About this query

Threat Hunting Nighthawk RAT

Query Information

Description

IOC Source: https://raw.githubusercontent.com/fboldewin/YARA-rules/master/nighthawk.yar Publish Date: 22 November 2022

Defender XDR

Sentinel

let NighthawkRat = dynamic(['0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988', '9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8', '38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf', 'f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e', 'b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94']);
DeviceFileEvents
| where SHA256 in (NighthawkRat)
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine

Explanation

This query is designed for threat hunting, specifically targeting the Nighthawk Remote Access Trojan (RAT). It uses a list of known malicious file hashes (SHA256) associated with Nighthawk RAT to search through device file events. The query is written for two different platforms: Defender XDR and Sentinel.

Here's a simple breakdown of what the query does:

  1. Define Known Threats: It starts by defining a list of SHA256 hashes that are known to be associated with the Nighthawk RAT. These hashes are unique identifiers for specific malicious files.

  2. Search for Matches: The query searches through device file events to find any files that match these known malicious hashes.

  3. Extract Relevant Information: For any matches found, the query extracts and displays key details such as:

    • The timestamp of the event.
    • The name of the device where the event occurred.
    • The name of the file involved.
    • The folder path where the file is located.
    • The command line of the process that initiated the file event.

The main difference between the two queries is the field name for the timestamp: "Timestamp" in Defender XDR and "TimeGenerated" in Sentinel. This query helps security analysts identify and investigate potential infections by the Nighthawk RAT on their network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

NighthawkRatDeviceFileEventsTimestampDeviceNameFileNameFolderPathInitiatingProcessCommandLineTimeGenerated

Operators

letdynamicinwhereproject

Actions

GitHub