DarkWatchman RAT detection with Wazuh

August 9th 2023 | by Oluwaseyi Soneye | Wazuh 4.4.5

DarkWatchman is a JavaScript Remote Access Trojan (RAT) paired with a C# keylogger that targets Windows endpoints. It provides attackers with the ability to establish connections to compromised systems, facilitating the unauthorized extraction of sensitive data. The RAT exhibits malicious functionalities which include the ability to capture keystrokes and monitor clipboard data.

A notable characteristic of the DarkWatchman RAT is that the keylogger uses Windows Registry fileless storage mechanism. It refrains from writing the captured data to disk and instead stores it in the Windows Registry.

DarkWatchman RAT behavior

When the DarkWatchman RAT is executed on a Windows endpoint, it exhibits the following behaviors:

Creates a Windows Defender exclusion for the C:\ drive by using the PowerShell command below:

powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"

Creates a JavaScript file in the Windows %temp% folder with a file name that combines the first 8 characters of the MachineGUID and the string 0.js.
Spawns the Windows Script Host wscript.exe from a command shell cmd.exe.
Executes the JavaScript file using wscript.exe and specifies that the script should be executed using the JScript engine.
wscript.exe creates a regsvr32.exe process and uses it for side-loading suspicious .dll files.
Writes and stores its configuration in the registry path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM.
Starts a keylogger in the background and writes the data to registry keys in the path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM.

Initiates TCP connections with an external domain for data exfiltration.

Infrastructure

We use the following infrastructure to demonstrate the detection of the DarkWatchman RAT with Wazuh.

A pre-built ready-to-use Wazuh OVA 4.4.5. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
A Windows 10 victim endpoint with Wazuh agent 4.4.5 installed and enrolled to the Wazuh server. Refer to the installatio n guide to learn how to install the Wazuh agent on Windows.

Detection with Wazuh

In this blog post, we use the following techniques to detect the presence and behavior of the DarkWatchman RAT on infected Windows endpoints:

VirusTotal Integration
Windows Registry monitoring
Custom detection rules

VirusTotal integration

VirusTotal is an online service that examines suspicious files, URLs, domain names, and IP addresses to detect security threats. Wazuh provides built-in VirusTotal integration that works with the Wazuh File integrity monitoring (FIM) module to detect malicious file hashes.

We set up the VirusTotal integration on the Wazuh server and FIM on the Windows endpoint to monitor the Downloads folder. The Wazuh dashboard generates alerts whenever a DarkWatchman RAT executable is added to the Downloads folder.

Windows endpoint

Perform the following steps to configure FIM on the victim endpoint.

1. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file.

2. Add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:

<directories realtime="yes">C:\Users\*\Downloads</directories>

NOTE: In this blog post, we monitor the Downloads folder. However, you can monitor any folder you wish.

3. Launch PowerShell with administrative privileges, and restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure VirusTotal integration on the Wazuh server.

1. Follow the instructions from the VirusTotal API key page to obtain a free key for scanning files if you don’t have one already.

2. Append the following settings to the /var/ossec/etc/ossec.conf file and replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key obtained in step 1 above:

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key>
    <rule_id>554,550</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

The FIM rule IDs 554 and 550 detect file addition and modification events respectively. These rule IDs trigger VirusTotal to scan the added or modified file on the monitored endpoint to detect the presence of the DarkWatchman RAT.

3. Restart the Wazuh manager to apply the configuration changes:

$ sudo systemctl restart wazuh-manager

Detection results

From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

The image below shows alerts generated on the Wazuh dashboard after the DarkWatchman RAT executable is added to the Windows endpoint.

Windows Registry monitoring

The DarkWatchman RAT exhibits a strategic evasion technique wherein it does not write captured data to disk. It stores the data in the registry path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM.

We can monitor the registry values added by the DarkWatchman RAT. We configure the Wazuh FIM module to detect when registry values are added or modified in the registry path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM.

Windows collects information from the HKEY_USERS registry and uses it to build the HKEY_CURRENT_USER registry. Under the HKEY_CURRENT_USER registry, Windows creates different registry hives for all users on an endpoint using the user Security Identifier (SID). To monitor the registry targeted by DarkWatchman RAT with FIM, we reference the registry using the user SID.

Configuration

Perform the following steps on the Windows endpoint to retrieve the user’s SID and configure the FIM module to monitor the registry path:

1. Run the following command in PowerShell with administrator privileges to get the SID for your user. We selected our own user Tester in the command below. Replace Tester with your own system user.

> Get-LocalUser -Name Tester | Select *

You can see the expected output below:

AccountExpires     	:
Description        	:
Enabled            	: True
FullName           	:
PasswordChangeableDate  : 3/29/2023 11:30:37 AM
PasswordExpires    	:
UserMayChangePassword   : True
PasswordRequired   	: False
PasswordLastSet    	: 3/29/2023 11:30:37 AM
LastLogon          	: 3/29/2023 11:54:02 AM
Name               	: Tester
SID                	: S-1-5-21-3515401657-3425787980-3165840520-1002
PrincipalSource    	: Local
ObjectClass        	: User

NOTE: You can run Get-LocalUser | Select * to return all accounts on the endpoint.

From the output, the SID for the user Tester is S-1-5-21-3515401657-3425787980-3165840520-1002.

2. Add the following configuration within the <syscheck> block in the “C:\Program Files (x86)\ossec-agent\ossec.conf” file. This configures FIM to monitor the HKEY_USERS\S-1-5-21-3515401657-3425787980-3165840520-1002\Software\Microsoft\Windows\DWM registry path in our case. You must replace it with the SID for your user.

<windows_registry check_all="yes" report_changes="yes" arch="both" tags="DarkWatchman RAT">HKEY_USERS\S-1-5-21-3515401657-3425787980-3165840520-1002\Software\Microsoft\Windows\DWM</windows_registry>

NOTE: We set the frequency that syscheck is executed to 60 seconds for testing purposes: <frequency>60</frequency>

3. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Detection results

The GIF below shows the alerts generated on the Wazuh dashboard by the FIM module when the DarkWatchman RAT is executed on the victim endpoint.

Create a filter on the dashboard to display only activities related to the HKEY_USERS\<SID>\Software\Microsoft\Windows\DWM registry path.Expand one of the ‘Registry Value Integrity Checksum Changed’ events and navigate to syscheck.diff to view the data written by DarkWatchman RAT. The event in the GIF shows Clipboard data.

Displaying FIM alerts and creating a filter on the Wazuh dashboard.

Custom detection rules

We use Sysmon to monitor several system events and create custom detection rules on the Wazuh server to detect the malicious behaviors of Darkwatchman RAT malware.

Follow the steps below to detect the malicious activities performed by Darkwatchman RAT malware on the Windows endpoint.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture logs with Sysmon and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location.

3. Download the Sysmon configuration file – sysmonconfig.xml. Replace <SYSMON_EXECUTABLE_PATH> with the directory path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Edit the sysmonconfig.xml file and include the below configuration within the <EventFiltering> block. This configures Sysmon to detect changes made to the HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM and HKEY_USERS\<SID>\Software\Microsoft\Windows\DWM registry paths.

<!-- This configuration detects when Darkwatchman RAT writes data to the HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM and HKEY_USERS\<SID>\Software\Microsoft\Windows\DWM registry paths-->

<RuleGroup groupRelation="or">
 <RegistryEvent onmatch="include">
	<TargetObject condition="contains">\Software\Microsoft\Windows\DWM</TargetObject>
 </RegistryEvent>
</RuleGroup>

5. Switch to the folder with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

6. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

7. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the DarkWatchman RAT behavior on infected Windows endpoints.

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="darkwatchman_rat,">

  <!-- C Drive Defender Exclusion -->
  <rule id="100801" level="12">
    	<if_sid>61603</if_sid>
    	<field name="win.eventdata.image" type="pcre2">powershell.exe</field>
    	<field name="win.eventdata.parentImage" type="pcre2">cmd.exe</field>
    	<field name="win.eventdata.commandLine" type="pcre2">-ExclusionPath</field>
    	<field name="win.eventdata.commandLine" type="pcre2">C:</field>
    	<description>Suspicious activity detected. The 'C' drive was added to the Windows Defender exclusion list.</description>
    	<mitre>
    	<id>T1562.001</id>
  	<id>T1059.001</id>
    	</mitre>
  </rule>

  <!-- wscript.exe spawned from command shell -->
  <rule id="100802" level="12">
    	<if_sid>61603</if_sid>
    	<field name="win.eventdata.parentImage" type="pcre2">cmd.exe</field>
    	<field name="win.eventdata.image" type="pcre2">wscript.exe</field>
    	<field name="win.eventdata.commandLine" type="pcre2">jscript</field>
    	<description>Possible DarkWatchman RAT activity detected. wscript.exe spawned from command shell (cmd.exe).</description>
    	<mitre>
    	<id>T1059.007 </id>
    	</mitre>
  </rule>

  <!-- js file created -->
  <rule id="100803" level="12">
    	<if_group>sysmon_event_11</if_group>
    	<field name="win.eventdata.image" type="pcre2">(?i)\\wscript\.exe</field>
    	<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\(Windows\\\\Temp|Users).+\.js</field>
    	<description>Possible DarkWatchman RAT activity detected. A suspicious .js file $(win.eventdata.targetFilename) was created in Windows Temp or Users folder by wsript.exe.</description>
    	<mitre>
    	<id>T1059.007</id>
    	</mitre>
  </rule>

  <!-- DLL side-loading through the execution of "regsvr32.exe" as a child process of "wscript.exe. -->
  <rule id="100804" level="12">
    	<if_group>sysmon_event1</if_group>
    	<field name="win.eventdata.parentImage" type="pcre2">(?i)\\wscript\.exe</field>
    	<field name="win.eventdata.image" type="pcre2">(?i)\\regsvr32\.exe</field>
    	<field name="win.eventdata.commandLine" type="pcre2">.dll</field>
    	<field name="win.eventdata.parentCommandLine" type="pcre2">jscript</field>
    	<description>Possible DarkWatchman RAT activity detected. DLL side-loading with regsvr32.exe</description>
    	<mitre>
    	<id>T1059.005</id>
    	</mitre>
  </rule>

  <!-- js file execution-->
  <rule id="100805" level="4">
    	<if_group>sysmon_event1</if_group>
    	<if_sid>92069</if_sid>
    	<field name="win.eventdata.image" type="pcre2">(?i)\\wscript\.exe</field>
    	<field name="win.eventdata.commandLine" type="pcre2">.js</field>
    	<description>Possible DarkWatchman RAT activity detected. Suspicious .js file executed.</description>
    	<mitre>
    	<id>T1059.001</id>
    	</mitre>
  </rule>

  <!-- data written to DWM registry-->
  <rule id="100806" level="15" ignore="120">
    	<if_sid>61615</if_sid>
    	<field name="win.eventdata.targetObject" type="pcre2">Microsoft\\\\Windows\\\\DWM</field>
    	<description>DarkWatchman RAT activity detected. Data written to DWM registry path</description>
  </rule>

</group>

Where:

Rule ID 100801 detects when the DarkWatchman RAT creates a Windows Defender exclusion for the C: drive.
Rule ID 100802 detects when wscript.exe is spawned from a command shell.
Rule ID 100803 detects when the DarkWatchman RAT creates a JavaScript .js file in the C:\Users\<USERNAME>\AppData\Local\Temp\ folder.
Rule ID 100804 detects DLL side-loading through the execution of regsvr32.exe as a child process of wscript.exe.
Rule ID 100805 detects when the DarkWatchman RAT executes the JavaScript file.
Rule ID 100806 detects when the DarkWatchman RAT writes data to the Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM registry.

NOTE: Due to the frequency of DarkWatchman RAT writing data to registry values, rule 100806 can cause agent event queue flooding.

2. Restart the Wazuh manager to apply the configuration changes:

# systemctl restart wazuh-manager

Detection results

From the Agents tab in your Wazuh dashboard, select the Windows endpoint and navigate to the Security events tab to view the generated alerts.

The screenshot below shows the alerts generated on the Wazuh dashboard when the DarkWatchman RAT is executed on the victim endpoint.

Conclusion

In this blog post, we demonstrated how to detect DarkWatchman RAT activities with Wazuh. We utilized Sysmon to enrich logs from the victim endpoint and created rules to detect malicious activities associated with Darkwatchman RAT. We also configured FIM to monitor and generate alerts when Darkwatchman RAT writes data to a registry path it targets.

By leveraging Wazuh capabilities, organizations can effectively detect suspicious and malicious attacks that employ unconventional evasion techniques. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References

Sophisticated DarkWatchMan RAT Spreads Through Phishing Sites

DarkWatchman RAT detection with Wazuh

DarkWatchman RAT behavior

VirusTotal integration

Windows endpoint

Wazuh server

Detection results

Windows Registry monitoring

Detection results

Windows endpoint

Wazuh server

Detection results

Filtering security data with the Wazuh Query Language

Wazuh signs a partnership agreement with Actarvs

Detecting Living Off the Land attacks with Wazuh

Wazuh and Diamatix Forge Strategic Partnership to Bolster Cybersecurity Solutions