(profero.io) Analysis of WindowsAudit: A Modular
-
(profero.io) Analysis of WindowsAudit: A Modular .NET RAT Leveraging Discord, MQTT, and Telegram for C2 Operations
New .NET RAT "WindowsAudit" (v1.5.77) leverages Discord, MQTT, and Telegram C2 channels for stealthy ops, targeting orgs with credential theft, AD abuse, and EDR bypass tactics.
In brief - A sophisticated .NET RAT, WindowsAudit.exe, uses multiple C2 channels (Discord, MQTT, Telegram) to evade detection. It operates with LocalSystem privileges, employs advanced persistence, steals credentials, abuses Active Directory, and disables EDR solutions via Safe Mode reboots. Surveillance and lateral movement capabilities are also present.
Technically - WindowsAudit.exe is a modular .NET 8 RAT with a statically-linked native loader executing an embedded managed DLL. Persistence is achieved via Windows Service (WinSATSvc.exe), WMI subscriptions, registry run keys, and scheduled tasks for Safe Mode recovery. C2 communication uses Discord (primary), MQTT (secondary), and Telegram (fallback). Evasion includes Hell’s Gate (userland hook bypass), in-process AMSI/ETW patches, and targeted EDR removal. Credential access involves LSASS dumping, DPAPI theft, and Kerberos attacks (Kerberoasting, AS-REP roasting). AD abuse covers discovery, ACL manipulation, and delegation abuse. Execution primitives include interactive shells, SMB remote execution, APC injection, and parent PID spoofing. Monitor for service anomalies, Defender exclusions, Safe Mode pivots, and Discord/MQTT egress traffic.
-
R relay@relay.infosec.exchange shared this topic
