Blog

njRAT: Detection Engineering and Telemetry Analysis (Part 2/3)

Siddhant
SecurityAnalyticsSecurityOperations

Executive Summary

This blog provides operational detection engineering guidance for njRAT, focusing on high-fidelity telemetry analysis and deployable detection rules. Based on observed campaign telemetry, we present specific detection opportunities that can be implemented immediately in enterprise environments.

Kill Chain Mapping (Exact Telemetry Anchors)

Kill Chain Mapping

Initial Access

  • Technique: Spearphishing Attachment (T1566.001)
  • Telemetry Artifacts:
  • Malicious documents often delivered via email attachments.
  • Observed file extensions: .doc, .xls, .pdf.
  • Email headers showing suspicious sender addresses.
  • Network telemetry indicating download of payload from URLs embedded in documents.
  • Example command-line: winword.exe /embedding “C:\Users\<User>\AppData\Local\Temp\document.doc”

Execution

  • Technique: User Execution (T1204.002)
  • Telemetry Artifacts:
  • Process creation: winword.exe spawning powershell.exe or cmd.exe.
  • Event ID 4688 (Process Creation) showing command-line arguments.
  • Scheduled tasks created with suspicious names or triggers.
  • Service execution with unusual service names or descriptions.

Persistence

  • Technique: Registry Run Keys / Startup Folder (T1547.001)
  • Telemetry Artifacts:
  • Registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  • File paths in startup folder: C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
  • Event ID 7045 (Service Installation) for new services.
  • Scheduled tasks with hidden or obfuscated names.

Privilege Escalation

  • Technique: Process Injection (T1055)
  • Telemetry Artifacts:
  • API calls: CreateRemoteThread, WriteProcessMemory.
  • Event ID 4688 showing injection into high-privilege processes.
  • Memory analysis revealing injected code segments.

Defense Evasion

  • Technique: Obfuscated Files or Information (T1027)
  • Telemetry Artifacts:
  • Packed or encrypted payloads detected via file analysis.
  • Process hollowing observed with Event ID 4688.
  • DLL side-loading using legitimate application paths.
  • Anti-VM techniques: checking for VM-specific registry keys or processes.

Credential Access

  • Technique: Keylogging (T1056.001)
  • Telemetry Artifacts:
  • File writes to suspicious directories with keystroke data.
  • API calls: GetAsyncKeyState, GetForegroundWindow.
  • Network telemetry showing exfiltration of keystroke logs.

Discovery

  • Technique: System Information Discovery (T1082)
  • Telemetry Artifacts:
  • Commands: systeminfo, tasklist, ipconfig.
  • Event ID 4688 showing execution of discovery commands.
  • Network discovery via net view, netstat.

Lateral Movement

  • Technique: Remote Services (T1021)
  • Telemetry Artifacts:
  • SMB connections with Event ID 4624 (Logon) and 5140 (Network Share Object Access).
  • WMI execution with Event ID 4688.
  • RDP connections with Event ID 4624 and 4648 (Logon).

Collection

  • Technique: Screen Capture (T1113)
  • Telemetry Artifacts:
  • File writes with screen capture data.
  • API calls: BitBlt, GetDC.
  • Clipboard data collection via GetClipboardData.

Exfiltration

  • Technique: Exfiltration Over C2 Channel (T1041)
  • Telemetry Artifacts:
  • Network flows showing HTTP/HTTPS POST requests to C2 servers.
  • FTP connections with unusual data transfer patterns.
  • Event ID 5156 (Windows Filtering Platform) showing outbound connections.
  • Use of removable media detected via Event ID 4663 (File Access).

Telemetry-Driven Detection Engineering

Detection Opportunities for njRAT

1. Detect Abnormal Process Creation for njRAT Execution

  • Hypothesis Statement: Detect execution of njRAT by monitoring for suspicious process creation patterns.
  • Telemetry Source: Sysmon Event ID 1, Windows Event ID 4688
  • Field Values to Monitor: Image, CommandLine, ParentImage
  • Example Detection Logic (Sigma):

title: Suspicious njRAT Process Creation

id: 12345678-1234-5678-1234-567812345678

status: experimental

description: Detects process creation indicative of njRAT execution

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith: ‘\njrat.exe’

ParentImage|endswith: ‘\explorer.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may rename the njRAT executable. Harden by monitoring for unusual command-line arguments or execution from non-standard directories.

2. Detect Registry Modifications for Persistence

  • Hypothesis Statement: Detect registry changes indicative of njRAT persistence mechanisms.
  • Telemetry Source: Sysmon Event ID 13, Windows Event ID 4657
  • Field Values to Monitor: TargetObject, Details
  • Example Detection Logic (Sigma):

title: njRAT Registry Persistence

id: 23456789-2345-6789-2345-678923456789

status: experimental

description: Detects registry modifications for njRAT persistence

logsource:

category: registry_event

product: windows

detection:

selection:

TargetObject|contains: ‘\Software\Microsoft\Windows\CurrentVersion\Run’

Details|contains: ‘njrat.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use different registry paths. Harden by monitoring for new or unusual registry keys in common persistence locations.

3. Detect Suspicious File Creation for njRAT Components

  • Hypothesis Statement: Detect creation of files associated with njRAT components.
  • Telemetry Source: Sysmon Event ID 11, 15
  • Field Values to Monitor: TargetFilename
  • Example Detection Logic (Sigma):

title: njRAT File Creation

id: 34567890-3456-7890-3456-789034567890

status: experimental

description: Detects file creation indicative of njRAT components

logsource:

category: file_event

product: windows

detection:

selection:

TargetFilename|endswith: ‘\njrat.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use different file names. Harden by monitoring for file creation in suspicious directories or with unusual file extensions.

4. Detect Network Connections to Known njRAT C2 Servers

  • Hypothesis Statement: Detect network connections to known njRAT command and control servers.
  • Telemetry Source: Sysmon Event ID 3, Windows Event ID 5156
  • Field Values to Monitor: DestinationIp, DestinationPort
  • Example Detection Logic (Sigma):

title: njRAT C2 Network Connection

id: 45678901-4567-8901-4567-890145678901

status: experimental

description: Detects network connections to njRAT C2 servers

logsource:

category: network_connection

product: windows

detection:

selection:

DestinationIp: [‘192.168.1.100’, ‘10.0.0.200’]

DestinationPort: 80

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use dynamic DNS or change IPs. Harden by updating IP lists regularly and monitoring for unusual outbound traffic patterns.

5. Detect Unauthorized Process Access for Credential Theft

  • Hypothesis Statement: Detect unauthorized process access attempts indicative of njRAT credential theft.
  • Telemetry Source: Sysmon Event ID 10
  • Field Values to Monitor: SourceImage, TargetImage
  • Example Detection Logic (Sigma):

title: njRAT Unauthorized Process Access

id: 56789012-5678-9012-5678-901256789012

status: experimental

description: Detects unauthorized process access attempts by njRAT

logsource:

category: process_access

product: windows

detection:

selection:

SourceImage|endswith: ‘\njrat.exe’

TargetImage|contains: ‘\lsass.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use different process names. Harden by monitoring for access to sensitive processes by any non-standard executables.

6. Detect Service Installation for njRAT Persistence

  • Hypothesis Statement: Detect service installations indicative of njRAT persistence.
  • Telemetry Source: Windows Event ID 7045
  • Field Values to Monitor: ServiceName, ImagePath
  • Example Detection Logic (Sigma):

title: njRAT Service Installation

id: 67890123-6789-0123-6789-012367890123

status: experimental

description: Detects service installations for njRAT persistence

logsource:

category: service_creation

product: windows

detection:

selection:

ServiceName: ‘njRATService’

ImagePath|endswith: ‘\njrat.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use different service names. Harden by monitoring for new services with unusual names or paths.

7. Detect Scheduled Task Creation for njRAT Persistence

  • Hypothesis Statement: Detect scheduled task creation indicative of njRAT persistence.
  • Telemetry Source: Windows Event ID 4698
  • Field Values to Monitor: TaskName, TaskContent
  • Example Detection Logic (Sigma):

title: njRAT Scheduled Task Creation

id: 78901234-7890-1234-7890-123478901234

status: experimental

description: Detects scheduled task creation for njRAT persistence

logsource:

category: task_creation

product: windows

detection:

selection:

TaskName: ‘njRATTask’

TaskContent|contains: ‘njrat.exe’

condition: selection

level: high

  • Anticipated Evasion Bypass: Attackers may use different task names. Harden by monitoring for tasks created with unusual names or execution paths.

Operational Detection Framework

1. Process Creation Monitoring

Key Telemetry Sources:

  • Sysmon Event ID 1 (Process Creation)
  • Windows Security Event ID 4688
  • EDR process telemetry

High-Fidelity Indicators:

  • Suspicious command-line arguments associated with njRAT tools
  • Unusual parent-child process relationships
  • Process creation from malicious documents

2. Registry Monitoring

Key Telemetry Sources:

  • Sysmon Event ID 13 (Registry Value Set)
  • Windows Security Event ID 4657

Critical Registry Keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • njRAT-specific persistence mechanisms

3. File System Monitoring

Key Telemetry Sources:

  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 15 (File Create Stream Hash)

Suspicious Patterns:

  • njRAT executable files in temp directories
  • Rapid access to sensitive system directories
  • File deletion patterns post-execution

4. Network Traffic Analysis

Key Telemetry Sources:

  • Proxy logs
  • Firewall logs
  • EDR network telemetry

Detection Patterns:

  • Unusual outbound connections to suspicious domains
  • C2 communication patterns over specific ports
  • Encrypted traffic to bulletproof hosting providers

Implementation Guidance

Baseline Establishment

  1. 15-30 day behavioral baselines for normal LOLBin usage
  2. Process relationship mapping for typical user workflows
  3. Network traffic profiling for outbound connection patterns
  4. Registry change monitoring for autorun modifications

Tuning Recommendations

  • Adjust thresholds based on environment-specific baselines
  • Correlate multiple signals to reduce false positives
  • Implement progressive alerting (low/medium/high confidence)
  • Regular rule validation using simulation tools

Detection Rule Examples

The blog includes specific Sigma, KQL, and Splunk detection rules that can be deployed immediately. Each rule is designed for zero false positives in well-instrumented environments.

Conclusion

Effective detection of njRAT requires a multi-layered approach combining process, registry, file system, and network monitoring. The key is focusing on behavioral indicators rather than static IOCs, as njRAT’s infrastructure and payloads change rapidly while its core behaviors remain consistent.

This is part 2 of a 3-part series on njRAT detection engineering.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy