KQL Search

# *ValleyRAT Exploiting BYOVD*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1543.003 | Create or Modify System Process: Windows Service | https://attack.mitre.org/techniques/T1543/003/ |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | https://attack.mitre.org/techniques/T1574/002/ | 
| T1547.001 | Boot/Logon Autostart Execution: Registry Run Keys / Startup Folder | https://attack.mitre.org/techniques/T1547/001/  | 
| M1047 | Audit | https://attack.mitre.org/mitigations/M1047/ |

#### Description
This KQL query is designed to detect a key technique used in the Valley RAT campaign, as detailed in the HexaStrike blog post. The rule focuses on a classic "Bring Your Own Vulnerable Driver" (BYOVD) attack method where an attacker installs a malicious driver or executable as a new service to achieve persistence and high-level privileges.

Detection Logic
The query analyzes DeviceRegistryEvents to identify suspicious changes to Windows services:
Service Path Manipulation: It specifically looks for modifications to the ImagePath registry value. This value tells Windows which file to execute when a service starts.
Suspicious Locations: The core of the detection is a filter for services whose ImagePath points to an unusual location, such as a temporary (%TEMP%) or program data directory (C:\ProgramData). Legitimate system drivers are almost always loaded from the C:\Windows\System32\drivers folder.
Exclusions: To reduce false positives, the rule excludes known legitimate processes, like those related to Microsoft Defender, that might write to these directories.
By identifying services that are configured to load files from untypical paths, this detection rule effectively uncovers a common tactic used by attackers to bypass security controls and establish a foothold on a system.

#### Risk
Persistence and Privilege Escalation achieved through Task Scheduler abuse by untrusted or custom executables

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/

## Defender XDR
```KQL
//Valley RAT Detection (https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/)
// thx Maurice Fielenbach Blog Post which served as inspiration for this detection
DeviceRegistryEvents
| where ActionType == "RegistryValueSet" and RegistryValueName == "ImagePath"
//| where 
| where RegistryKey matches regex @"HKEY_LOCAL_MACHINE\\SYSTEM\\(ControlSet.*|CurrentControlSet)\\Services\\"
| where RegistryValueData has_any ("%TEMP%", @"%LOCALAPPDATA%\Temp", @"C:\Windows\Temp", @"\AppData\Local\Temp", @"C:\ProgramData")
| where not(RegistryValueData 
            has_any (@"C:\ProgramData\Microsoft\Windows Defender\Platform\",
                     @"\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\"))
```