KQL Search

Query Details

HomeAI ToolsDevice Query

Quasar RAT IOC Detection

Query

//This query searches for Quasar RAT indicators across network and file events
//Includes checks for known MD5 hashes, domains, and IP addresses
let MD5_IOCs = dynamic(['c1362ae0ed61ed13730b5bc423a6b771',
'b4bcf7088d6876a5e95b62cee9746139', '6e0597bbae126c82d19e1ceaea50b75c',
'03b88fd80414edeabaaa6bb55d1d09fc', 'b894ab525964231c3c16feb0f2cbcffa', '6b9112b4ee34e52e53104dbd538e04d3', 
'7ffbc50f20e72676a31d318bc8f50483', '483e02ec373ac4ce5676af185225d035', '313ae2a853e0f47ef81040dc58247c88',
'7f9ec838f1906b3ac75a52babd2f77d6', '2c98cc1306c8e50112e907afa22cfc06', 'fd4557a540e35948c0ff20f5b717d9bd',
'c0dc33123fcfe80ba419c1a7fb8e26d3', 'af0091faafe64b5d1ecdaf654c6b6282', '1ce3d7e716ee9635bb0bea1623793e85',
'247d68ff4007bea6865af4783f7b15ab', 'b45ff49959f07f2465b83ca044d7c345', 'a1840646c8050d92c4f5140549711694',
'081b7bc6d5161210dc65068d36a6b87b', '9ffbd9c5f170871b8dd14373a030d2e4', '58179e91bf9385c939c159f8b8faad17']);
let DOMAINS_IOCs = dynamic(['carsond5.hopto.org', 'carlossosrepete.servecounterstrike.com']);
let IP_IOCs = dynamic (['23.216.147.64']);
(union isfuzzy=true
     (DeviceNetworkEvents
     | where RemoteIP has_any (IP_IOCs)),
     (DeviceFileEvents
     | where MD5 has_any (MD5_IOCs)),
     (DeviceNetworkEvents
     | where DOMAINS has_any (DOMAINS_IOCs))
)

Explanation

This query is designed to detect potential indicators of the Quasar Remote Access Trojan (RAT) by examining network and file events. It specifically looks for:

  1. Known MD5 Hashes: It checks file events for any matches with a list of known MD5 hashes associated with Quasar RAT.
  2. Known Domains: It examines network events to see if any of the domains in a predefined list are accessed, which are linked to Quasar RAT activity.
  3. Known IP Addresses: It searches network events for connections to a specific IP address known to be associated with Quasar RAT.

The query combines results from these checks to identify suspicious activity related to Quasar RAT across the network and file systems.

Details

Alexandros Pappas profile picture

Alexandros Pappas

Released: November 10, 2024

Tables

DeviceNetworkEventsDeviceFileEvents

Keywords

DeviceNetworkEventsDeviceFileEvents

Operators

letdynamicunionisfuzzywherehas_any

Actions