1/22 November 16, 2022 Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html By Splunk Threat Research Team November 16, 2022 Agent Tesla is a remote access trojan (RAT) written for the .NET framework that has knowingly been in operation since 2014. Threat actors behind this malware have leveraged many different methods to deliver their payload over time including macro enabled Word documents, Microsoft Office vulnerabilities, OLE objects and most recently, compiled HTML help files. Agent Tesla has been in the top 10 most submitted samples in known open malware source repositories in cyber security communities like Malware Bazaar and Any.run. It is a full-featured RAT with multiple ways to exfiltrate organization data through keylogging, screen captures, credential stealing and much more.  In this blog post, the Splunk Threat Research Team (STRT) describes the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by this remote access trojan. Additionally, we will highlight the detection analytics we released that can help cyber defenders in identifying signs of compromise. Analysis Identification of Samples https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html https://www.splunk.com/en_us/blog/author/secmrkt-research.html https://www.splunk.com/en_us/blog/author/secmrkt-research.html 2/22 For this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT on August 31st to Malware Bazaar. This sample led us to the “ftp-boloni-ma” tag that compiles several samples of a campaign leveraging the Agent Tesla malware. Specifically, this campaign used a malicious compiled HTML (.CHM) file as a delivery method to drop and execute its first and second stages and load the remote access trojan.  High level flow of process execution for this sample is shown on Figure 1: Figure 1.1 shows the list of hashes that have this tag. Security teams that would like to understand how the execution of compiled HTML files looks like against their prevention or detection controls, we recommend having a look at the AtomicTestHarness for CHM and the Atomic Red Team technique T1218.001 built by the Red Canary team. T1566.001 - Spear Phishing Attachment https://twitter.com/JAMESWT_MHT/status/1564978411436736512?s=20&t=c6HRwWIpc2WYV9ld6S_62g https://bazaar.abuse.ch/ https://bazaar.abuse.ch/browse/tag/ftp-boloni-ma/ https://app.any.run/tasks/803bc852-0431-41b2-8270-9c7635ed9cf6/ https://github.com/redcanaryco/AtomicTestHarnesses https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/Windows/TestHarnesses/T1218.001_CompiledHTMLFile https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md 3/22 This Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and gain an initial foothold on the victim endpoint. The file has an embedded and obfuscated JavaScript script that invokes PowerShell to download a second stage. Figure 1.1 shows the .chm file loading upon execution. Figure 1.2 shows the obfuscated and deobfuscated versions of the embedded Javascript code. Once executed, it will invoke PowerShell.exe to download extra content from the Internet using the System.Net WebClient class and the DownloadString method. https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-6.0 4/22 The Loader T1059.001 - Command and Scripting Interpreter: PowerShell The downloaded file, disguised as a text .txt file, is in reality a PowerShell script shown on Figure 2. This obfuscated second stage script is the one responsible for loading the actual Agent Tesla malware in memory.  The variable named $TzbW contains a string that when deobfuscated, implements the tMCfkSD function also shown on Figure 2. This function will in turn deobfuscate and decompress the array of bytes stored in the variable named $zmOo. This deobfuscated and decompressed version is the actual .NET assembly Agent Tesla malware that will be executed in memory using PowerShell reflection. Figure 2 shows the main parts of this second stage component and the gzip decompression function. 5/22 Figure 2.1 shows a screenshot of a simple python script we wrote to deobfuscate the PowerShell function Agent Tesla’s second stage uses to decompress and deobfuscate the binary stored in the $zmOo array byte variable. The python script can be found on Github agent_function_loader_deobfus.py This loader will deobfuscate and load the Agent Tesla malware in memory stream using .NET Reflection. This part of its execution can be considered as fileless malware since it doesn't drop the AgentTesla malware on the disk but executes it in memory stream. Figure 2.2 shows the python script we wrote to extract the actual AgentTesla malware binary. This python script will drop the Agent Tesla malware as agent_unpack.bin in the current working directory. The script can be found on Github agent_function_loader_deobfus2.py. https://github.com/tccontre/KnowledgeBase/blob/main/malware_re_tools/AgentTesla-%20Loader/agent_function_loader_deobfus.py https://github.com/tccontre/KnowledgeBase/blob/main/malware_re_tools/AgentTesla-%20Loader/agent_function_loader_deobfus2.py 6/22 Agent Tesla Analysis Packer/ Obfuscator The Agent Tesla sample extracted in the second stage component is a .NET compiled binary obfuscated with the opensource Obfuscar .NET obfuscator. Using the DIE tool we can identify the obfuscation method and the compilation type of this file in Figure 3. Adversaries will pack or obfuscate their payloads in hope that it evades critical controls like mail gateways, sandboxes and anti-virus software. https://github.com/obfuscar/obfuscar https://github.com/horsicq/DIE-engine/releases 7/22 Discovery - TA0007 T1033 - System Owner/User Discovery On every check in to the command and control server (via the FTP, HTTP or SMTP protocols), this Agent Tesla sample parses and submites the user name, computer name, operating system version and total physical memory of the compromised endpoint. 8/22 Execution - TA0002 T1204.002 - Malicious File This particular Agent Tesla sample includes the ability to download a remote file from one of its C2 servers and save it to the hardcoded path “%temp%\LUU”. The final step of the function will also execute the downloaded file. Unfortunately the URL was inaccessible as of writing. Figure 4 9/22 Figure 4 shows the code snippet of how it captures the system information of the compromised machine as part of its C2 communication. Persistence - TA0003 T1547.001 - Registry Run / Startup Folder If enabled, Agent Tesla has two built in persistence mechanisms to be able to load itself upon boot. It is either by dropping a copy of itself in the %startup folder% or by adding registry run keys.  Figure 5.1 and Figure 5.2 shows a short code snippet how it can create Registry Run Keys and possible entry on startup folder for its persistence(T1547.001). Figure 5.1 10/22 Credential Access - TA0006 Agent Tesla implements several techniques to collect sensitive information on the compromised endpoint. T1555.003 - Credentials from Web Browsers The first technique is parsing credentials or sensitive browser data.  Agent Tesla includes a list of targeted browsers to parse the login credentials, browser cookies, browser profiles and grab browser .sqlite database files. Figure 6 shows a short code snippet of the function renamed as “mw_parsing_browser_db” that contains the list of browsers that Agent Tesla attempts to parse or copy the “cookies.sqlite” database file. Below is a complete table list of targeted browsers. Targeted Browsers (Browser Name, Browsers Target Directory) "Firefox", "%APPDATA%\\Mozilla\\Firefox\\" "IceCat", "%APPDATA%\\Mozilla\\icecat\\" "PaleMoon", "%APPDATA%\\Moonchild Productions\\Pale Moon\\" "SeaMonkey", "%APPDATA%\\Mozilla\\SeaMonkey\\" "Flock", "%APPDATA%\\Flock\\Browser\\" "K-Meleon", "%APPDATA%\\K-Meleon\\" "Postbox", "%APPDATA%\\Postbox\\" "Thunderbird", "%APPDATA%\\Thunderbird\\" Figure 5.2 11/22 "IceDragon", "%APPDATA%\\Comodo\\IceDragon\\" "WaterFox", "%APPDATA%\\Waterfox\\" "BlackHawk", "%APPDATA%\\NETGATE Technologies\\BlackHawk\\" "CyberFox", "%APPDATA%\\8pecxstudios\\Cyberfox\\" "Opera Browser", "%APPDATA%\\Opera Software\\Opera Stable" "Yandex Browser", "%APPDATA%\\Yandex\\YandexBrowser\\User Data" "Iridium Browser", "%APPDATA%\\Iridium\\User Data" "Chromium", "%APPDATA%\\Chromium\\User Data" "7Star", "%APPDATA%\\7Star\\7Star\\User Data" "Torch Browser", "%APPDATA%\\Torch\\User Data" "Cool Novo", "%APPDATA%\\MapleStudio\\ChromePlus\\User Data" "Kometa", "%APPDATA%\\Kometa\\User Data" "Amigo", "%APPDATA%\\Amigo\\User Data" "Brave", "%APPDATA%\\BraveSoftware\\Brave-Browser\\User Data" "CentBrowser", "%APPDATA%\\CentBrowser\\User Data" "Chedot", "%APPDATA%\\Chedot\\User Data" "Orbitum", "%APPDATA%\\Orbitum\\User Data" "Sputnik", "%APPDATA%\\Sputnik\\Sputnik\\User Data" "Comodo Dragon", "%APPDATA%\\Comodo\\Dragon\\User Data" "Vivaldi", "%APPDATA%\\Vivaldi\\User Data" "Citrio", "%APPDATA%\\CatalinaGroup\\Citrio\\User Data" "360 Browser", "%APPDATA%\\360Chrome\\Chrome\\User Data" "Uran", "%APPDATA%\\uCozMedia\\Uran\\User Data" "Liebao Browser", "%APPDATA%\\liebao\\User Data" "Elements Browser", "%APPDATA%\\Elements Browser\\User Data" "Epic Privacy", "%APPDATA%\\Epic Privacy Browser\\User Data" "Coccoc", "%APPDATA%\\CocCoc\\Browser\\User Data" "Sleipnir 6", "%APPDATA%\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer" "Opera", "%APPDATA%\\Opera Software\\Opera Stable" "Comodo Dragon", "%APPDATA%\\"Comodo\\Dragon\\User Data" "Chrome", "%APPDATA%\\Google\\Chrome\\User Data" "Yandex", "%APPDATA%\\"Yandex\\YandexBrowser\\User Data" "SRWare Iron", "%APPDATA%\\"Chromium\\User Data" "Torch Browser", "%APPDATA%\\"Torch\\User Data" "Brave Browser", "%APPDATA%\\"BraveSoftware\\Brave-Browser\\User Data" "CoolNovo", "%APPDATA%\\"MapleStudio\\ChromePlus\\User Data" "7Star", "%APPDATA%\\"7Star\\7Star\\User Data" "Epic Privacy Browser", "%APPDATA%\\"Epic Privacy Browser\\User Data" "Amigo", "%APPDATA%\\"Amigo\\User Data" "CentBrowser", "%APPDATA%\\"CentBrowser\\User Data" "CocCoc", "%APPDATA%\\"CocCoc\\Browser\\User Data" "Chedot", "%APPDATA%\\"Chedot\\User Data" "Elements Browser", "%APPDATA%\\"Elements Browser\\User Data" "Kometa", "%APPDATA%\\"Kometa\\User Data" "Citrio", "%APPDATA%\\"CatalinaGroup\\Citrio\\User Data" "Coowon", "%APPDATA%\\"Coowon\\Coowon\\User Data" "Liebao Browser", "%APPDATA%\\"liebao\\User Data" "QIP Surf", "%APPDATA%\\"QIP Surf\\User Data" "QQ Browser", "%APPDATA%\\"Tencent\\QQBrowser\\User Data" "UC Browser", "%APPDATA%\\"UCBrowser\\" "Orbitum", "%APPDATA%\\"Orbitum\\User Data" 12/22 "Sputnik", "%APPDATA%\\"Sputnik\\Sputnik\\User Data" "uCozMedia", "%APPDATA%\\"uCozMedia\\Uran\\User Data" "Vivaldi", "%APPDATA%\\"Vivaldi\\User Data" "QIP Surf", "%APPDATA%\\QIP Surf\\User Data" "Coowon", "%APPDATA%\\Coowon\\Coowon\\User Data" T1555.005 - Password Managers Aside from stealing browser secrets, it also attempts to steal passwords from commonly used applications like OpenVpn, FileZilla and Mailbird. It accomplishes this by reading registry entries, decrypting/decoding or parsing local databases or by reading configuration files. The table below is the list of the targeted applications that are related to this data collection. OPEN VPN FLASHFXP WINSCP NORDVPN IE EDGE PALE MOON FTP CMDER ICECAT INCREDIMAIL PIA  CYBERFOX POC MAIL POSTBOX OUTLOOK FTP GETTER RimArts MAILBIRD FLOCK BROWSER OPERA QQBROWSER WS_FTP MS CREDENTIALS ManagerMULTI-VNC THUNDERBIRD UC BROWSERS MYSQL WORKBENCH FALKON APPLE KEYCHAIN WATERFOX JDOWNLOADER DB SMARTFTP TRILLIAN COREFTPCLAWS MAIL FILEZILLA AEROFOX BLACKHAWK EM CLIENT SEA MONKEY ICE DRAGON PSI DOWNLOADMGR K-MELEON FTP NAVI UBATMAILBIRD T1056.001 - KeyLogging This Agent Tesla sample is also capable of installing a Keylogger on the compromised host. It uses the SetWindowsHookEx Windows API to install a hook procedure that monitors low- level keyboard input events. Figure 7 shows the code snippet where it setup the windows hook procedure for keyboard events. 13/22 Command And Control - TA0011 T1090.003 - TOR Proxy Agent Tesla also uses TOR proxy for its HTTP requests. It tries to download a TOR application on a specific TOR website. Figure 8 shows its function that downloads the TOR browser that will be saved as “tor.zip” file in the%appdata% folder. Collection - TA0009 T1113 - Screen Capture Figure 9 shows the code snippet of how Agent Tesla software captures the desktop screenshot of the compromised machine and it will be saved in the memory stream and later sent to its C2 server. Figure 7 Figure 8 14/22 Exfiltration - TA0010 T1041 - Exfiltration Over C2 Channel During analysis of this Agent Tesla sample it was identified to have 3 ways to exfiltrate stolen sensitive information of the compromised host. The exfiltrated data may be either sent via FTP, SMTP and HTTP command and control server. Figure 10 shows the code snippet on how the agent will set up each method to exfiltrate data. Figure 9 15/22 The remote C2 server was down during the analysis of this sample. STRT experimented with its SMTP communication to be able to see how the exfiltrated data looks like on the attacker side. We used a fake SMTP server by rnwood (smtp4dev) to forward all the exfiltrated data of this sample. Attacker Perspective Data Exfiltration Figure 11 shows the email sent by the Agent Tesla to the fake SMTP server containing a .zip file attachment with the filename format “CO_/ .zip”.  This .zip file contains the collected browser data, which in our case is the cookie.sqlite file.   https://github.com/rnwood/smtp4dev 16/22 In addition, it includes the basic system information which is the UserName, ComputerName, OSFullName, CPU and RAM. Figure 12 shows the email sent by the Agent Tesla malware related to the desktop screenshots of the compromised machine. We can see that it has same format email body  that contain system information, except that the format of the desktop screenshot .jpeg file is “SC_/.jpeg” Figure 11 Figure 12 17/22 Lastly Figure 13.1 (notepad++) and 13.2 (firefox) shows the email sent by this sample during our testing related to its keylogging feature. This malware checks if the log.tmp (keylog file) in %temp% exists; if not, it will directly send the keystroke that keylogs in its C2, in this case via SMTP. Below shows the couple of keys typed by the user and the process related to that keystroke. Figure 13.1 18/22 For this type of exfiltration the subject of the email has a format of “KL_/”. Detections Below is the table list for detections that the STRT developed to identify possible Agent Tesla behavior and malicious .chm behavior.  Type  Name Technique ID Tactic Description TTP Detect Html Help Spawn Child Process T1218.001 Defense Evasion The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. Anomaly Excessive Usage Of Taskkill T1562.001 Defense Evasion This analytic identifies excessive usage of taskkill.exe application. Figure 13.2 https://research.splunk.com/endpoint/723716de-ee55-4cd4-9759-c44e7e55ba4b/ https://attack.mitre.org/techniques/T1218/001/ https://attack.mitre.org/tactics/TA0005 https://research.splunk.com/endpoint/fe5bca48-accb-11eb-a67c-acde48001122/ https://attack.mitre.org/techniques/T1562/001/ https://attack.mitre.org/tactics/TA0005 19/22 TTP Executables Or Script Creation In Suspicious Path T1036 Defense Evasion This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. Anomaly Non Chrome Process Accessing Chrome Default Dir T1555.003 Credential Access This search is to detect an anomaly event of a non- chrome process accessing the files in chrome user default folder. Anomaly Non Firefox Process Access Firefox Profile Dir T1555.003 Credential Access This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder. TTP Office Application Drop Executable T1566.001 Initial Access This search is to detect a suspicious MS office application that drops or creates executables or scripts in a Windows Operating System. TTP Office Application Spawn Rundll32 Process T1566.001 Initial Access This detection was designed to identify suspicious spawned processes of known MS office applications due to macro or malicious code. TTP Office Document Executing Macro Code T1566.001 Initial Access this detection was designed to identifies suspicious office documents   that using macro code. Hunting Powershell Connect To Internet With Hidden Window T1059 Execution The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. https://research.splunk.com/endpoint/a7e3f0f0-ae42-11eb-b245-acde48001122/ https://attack.mitre.org/techniques/T1036/ https://attack.mitre.org/tactics/TA0005 https://research.splunk.com/endpoint/81263de4-160a-11ec-944f-acde48001122/ https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/tactics/TA0006 https://research.splunk.com/endpoint/e6fc13b0-1609-11ec-b533-acde48001122/ https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/tactics/TA0006 https://research.splunk.com/endpoint/73ce70c4-146d-11ec-9184-acde48001122/ https://attack.mitre.org/techniques/T1566/001/ https://attack.mitre.org/tactics/TA0001 https://research.splunk.com/endpoint/958751e4-9c5f-11eb-b103-acde48001122/ https://attack.mitre.org/techniques/T1566/001/ https://attack.mitre.org/tactics/TA0001 https://research.splunk.com/endpoint/b12c89bc-9d06-11eb-a592-acde48001122/ https://attack.mitre.org/techniques/T1566/001/ https://attack.mitre.org/tactics/TA0001 https://research.splunk.com/endpoint/ee18ed37-0802-4268-9435-b3b91aaa18db/ https://attack.mitre.org/techniques/T1059/ https://attack.mitre.org/tactics/TA0002 20/22 TTP Scheduled Task Deleted Or Created Via Cmd T1053.005 Execution, Persistence, Privilege Escalation The following analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. TTP Suspicious Process File Path T1543 Execution, Persistence, Privilege Escalation The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. TTP Detect Html Help Spawn Child Process T1218.001 Defense Evasion The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. TTP Registry Keys Used For Persistence (mod) T1546.012 Persistence, Privilege Escalation This search looks for modifications to registry keys that can be used to elevate privileges. Hunting Windows Iso Lnk File Creation (mod) T1566.001 Initial Access The following analytic identifies the use of a delivered ISO file that has been mounted and the aforementioned lnk or file opened within it. Hunting Windows Phishing Recent Iso Exec Registry (mod) T1566.001 Initial Access The following hunting analytic identifies registry artifacts when an ISO container is opened, clicked or mounted on the Windows operating system. TTP Powershell Loading Dotnet Into Memory Via Reflection (mod) T1059.001 Execution The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. https://research.splunk.com/endpoint/d5af132c-7c17-439c-9d31-13d55340f36c/ https://attack.mitre.org/techniques/T1053/005/ https://attack.mitre.org/tactics/TA0002 https://attack.mitre.org/tactics/TA0003 https://attack.mitre.org/tactics/TA0004 https://research.splunk.com/endpoint/9be25988-ad82-11eb-a14f-acde48001122/ https://attack.mitre.org/techniques/T1543/ https://attack.mitre.org/tactics/TA0002 https://attack.mitre.org/tactics/TA0003 https://attack.mitre.org/tactics/TA0004 https://research.splunk.com/endpoint/723716de-ee55-4cd4-9759-c44e7e55ba4b/ https://attack.mitre.org/techniques/T1218/001/ https://attack.mitre.org/tactics/TA0005 https://research.splunk.com/endpoint/c9f4b923-f8af-4155-b697-1354f5bcbc5e/ https://attack.mitre.org/techniques/T1546/012/ https://attack.mitre.org/tactics/TA0003 https://attack.mitre.org/tactics/TA0004 https://research.splunk.com/endpoint/d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32/ https://attack.mitre.org/techniques/T1566/001/ https://attack.mitre.org/tactics/TA0001 https://research.splunk.com/endpoint/cb38ee66-8ae5-47de-bd66-231c7bbc0b2c/ https://attack.mitre.org/techniques/T1566/001/ https://attack.mitre.org/tactics/TA0001 https://research.splunk.com/endpoint/85bc3f30-ca28-11eb-bd21-acde48001122/ https://attack.mitre.org/techniques/T1059/001/ https://attack.mitre.org/tactics/TA0002 21/22 Hunting Windows File Transfer Protocol In Non Common Process Path(new) T1071.003 Command and Control The following analytic identifies a possible windows application having a FTP connection  in a non common installation path in windows operating system. Anomaly Windows Mail Protocol In Non Common Process Path (new) T1071.003 Command and Control The following analytic identifies a possible windows application having a SMTP connection  in a non common installation path in windows operating system. Anomaly Windows Multi Hop Proxy Tor Website Query (new) T1071.003 Command and Control The following analytic identifies a dns query to a known TOR proxy website. Automate with SOAR Playbooks  All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics: Playbook Description Internal Host SSH Investigate Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity and network activity. This includes the process list, login history, cron jobs and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review. Internal Host WinRM Investigate Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault. Delete Detected Files This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a “more” command on the file in question to extract its contents. We then run a delete on the file in question. https://research.splunk.com/endpoint/0f43758f-1fe9-470a-a9e4-780acc4d5407/ https://attack.mitre.org/techniques/T1071/003/ https://attack.mitre.org/tactics/TA0011 https://research.splunk.com/endpoint/ac3311f5-661d-4e99-bd1f-3ec665b05441/ https://attack.mitre.org/techniques/T1071/003/ https://attack.mitre.org/tactics/TA0011 https://research.splunk.com/endpoint/4c2d198b-da58-48d7-ba27-9368732d0054/ https://attack.mitre.org/techniques/T1071/003/ https://attack.mitre.org/tactics/TA0011 https://docs.splunk.com/Documentation/ESSOC/3.51.0/user/Useplaybookpack?_gl=1*1exyg5h*_ga*MTI4MTM3OTkzNi4xNjI2MDI5MzQx*_gid*MTA5MjE4ODYwMi4xNjY3MjM1MTk1*_ga_5EPM2P39FV*MTY2NzIzNTE5NS43OS4xLjE2NjcyMzUyMTAuNDUuMC4w&_ga=2.84261913.1092188602.1667235195-1281379936.1626029341 https://research.splunk.com/playbooks/internal_host_ssh_investigate https://research.splunk.com/playbooks/internal_host_winrm_investigate https://research.splunk.com/playbooks/delete_detected_files/ 22/22 Why Should You Care? With this article the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk customers to identify the Agent Tesla tactics, techniques and procedures. By understanding its behaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this type of threats. Learn More You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.  For a full list of security content, check out the release notes on Splunk Docs. Feedback Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on Slack. Contributors We would like to thank Teoderick Contreras, Michael Haag, Mauricio Velazco and Lou Stella for their contributions to this post. https://www.splunk.com/en_us/customers.html https://github.com/splunk/security-content/releases/tag/v3.12.0 https://splunkbase.splunk.com/app/3449/ https://splunkbase.splunk.com/app/3435/ https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements https://docs.splunk.com/Documentation/ESSOC https://splunk-usergroups.slack.com/ https://docs.splunk.com/Documentation/Community/1.0/community/Chat https://twitter.com/tccontre18 https://twitter.com/M_haggis https://twitter.com/mvelazco mailto:lstella@splunk.com