Threat Hunting
May 13
Threat Hunting
Threat Hunting - Hunting for Konni RAT with Elastic
At SofectaLabs, we don’t stop at surface-level alerts — we dive deeper to uncover underlying threats, as we mentioned in the previous blog post. While many detection systems rely on known indicators and rigid signatures, we believe true defense requires depth, context, and proactive exploration. Our focus is on identifying what hides in the noise — and one of the threats that exemplifies this stealth is Konni RAT.
In this post, we’ll walk you through how Konni operates, its evolution into a stealthy, fileless espionage tool, and most importantly, how you can detect it using Elastic Stack through Windows telemetry, process logs, and DNS/proxy activity. All detection logic is tied back to MITRE ATT&CK techniques, so you can operationalize it effectively.
Konni in the Wild: More Than Just a RAT
Konni RAT has been quietly active since at least 2014. Tied to North Korean APT groups like Kimsuky and APT37, it’s been deployed in targeted attacks against government, diplomatic, and defense organizations.
It typically arrives through spear-phishing emails disguised as official correspondence, often with themes impersonating embassies or political groups. Recent variants (2022–2025) have demonstrated a sharp evolution, featuring:
- Malicious LNK files padded with whitespace to hide commands
- Script-based infection chains using PowerShell, batch, and VBScript
- AES-encrypted configurations tied to runtime decryption via service names
- Anti-analysis tactics such as crashing when executed incorrectly (e.g., via rundll32.exe)
- Use of LOLBins like wscript.exe, certutil.exe, and powershell.exe
In many ways, Konni reflects a modern fileless attack chain—built to blend in, persist quietly, and exfiltrate data without setting off alarms.
Breaking Down the Attack Chain
Before we can detect Konni, we need to understand how it is deployed. Let’s break down each stage of the attack chain.
Threat Hunting for Konni RAT with Elastic Stack
Detecting Konni RAT requires hunting for subtle behaviors across host and network telemetry. In this section, we provide concrete strategies and ES|QL queries for threat hunters using the Elastic Stack to uncover Konni’s presence within your enviornment.
The following ESQL queries are generic and might not fit your Elastic normalization to match the fields, make sure you update them accordingly.
Initial Access
MITRE Tactic: Initial Access (TA0001)
MITRE Techniques: T1203 , T1204.002
Description:
Users are tricked into opening malicious .docx, .pptx, or .lnk files, which contain embedded macros or shortcuts triggering code execution.
Detection Focus: Office Applications Spawning Script Interpreters
ESQL Query:
FROM winlogbeat-*
| WHERE winlog.event_id == 1 // Process Create
AND process.parent.name IN ("WINWORD.EXE","POWERPNT.EXE","EXCEL.EXE")
AND process.name IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe")
| KEEP timestamp, host.name, user.name, process.parent.name, process.name, process.args
| SORT timestamp desc
Execution & Obfuscation
MITRE Tactics: Execution (TA0002), Defense Evasion (TA0005)
MITRE Techniques: T1059.001 (PowerShell), T1059.005 (VBScript), T1027 (Obfuscated Files), T1140 (Deobfuscate/Decode Files)
Description:
Scripts executed by cmd.exe or wscript.exe launch PowerShell or obfuscated scripts. Payloads may be encoded using Base64, XOR, or AES. Decoy documents are dropped to distract the user.
Detection Focus:
* PowerShell Obfuscation
* Task Scheduler Invocation
* certutil.exe Usage
ESQL Queries:
// PowerShell from Task Scheduler
FROM winlogbeat-*
| WHERE winlog.channel == "Microsoft-Windows-TaskScheduler/Operational"
AND winlog.event_id == 106
AND message LIKE "%PowerShell%"
| KEEP timestamp, host.name, user.name, message
// broad search for certutil decoding/downloading
FROM winlogbeat-*
| WHERE process.name == "certutil.exe"
| KEEP timestamp, host.name, user.name, process.parent.name, process.args
Payload Deployment
MITRE Tactics: Execution (TA0002), Defense Evasion (TA0005)
MITRE Techniques: T1204, T1027
Description:
Core payloads are written to disk or memory. Obfuscation mechanisms help evade static and behavioral detection. Scripts may clean up artifacts to reduce forensic evidence.
(*No exclusive ESQL detection provided — covered by execution + PowerShell activity above*)
Persistence & Masquerading
MITRE Tactics: Persistence (TA0003), Privilege Escalation (TA0004), Masquerading (T1036)
MITRE Techniques: T1547.001, T1543.003, T1053, T1548.002
Description:
The malware persists through Registry autoruns, fake Windows services with system-like names, UAC bypass, and scheduled task creation.
Detection Focus:
* Registry autoruns via .vbs or .bat
* Suspicious services running from non-standard paths
* Scheduled task creation pointing to script interpreters
ESQL Queries:
// Registry autorun
FROM winlogbeat-*
| WHERE winlog.channel == "Microsoft-Windows-Sysmon/Operational"
AND winlog.event_id == 13
AND winlog.event_data.TargetObject LIKE "%\\CurrentVersion\\Run\\%"
AND winlog.event_data.Details != null
AND (winlog.event_data.Details LIKE "%.vbs" OR winlog.event_data.Details LIKE "%.bat")
| KEEP timestamp, host.name, user.name, process.name, winlog.event_data.TargetObject, winlog.event_data.Details
| SORT timestamp desc
// Suspicious services
FROM winlogbeat-*
| WHERE winlog.channel == "System"
AND winlog.event_id == 7045
AND winlog.event_data.BinaryPathName != null
AND NOT winlog.event_data.BinaryPathName LIKE "C:\\Windows\\%"
| KEEP timestamp, host.name, user.name, winlog.event_data.ServiceName, winlog.event_data.BinaryPathName, winlog.event_data.ServiceStartType
| SORT timestamp desc
// Scheduled tasks running PowerShell
FROM winlogbeat-*
| WHERE winlog.channel == "Microsoft-Windows-TaskScheduler/Operational"
AND winlog.event_id == 106
AND message LIKE "%PowerShell%"
| KEEP timestamp, host.name, user.name, message
Command & Control (C2)
MITRE Tactic: Command and Control (TA0011)
MITRE Techniques: T1071.001, T1573, T1078, T1041
Description:
Payloads establish outbound encrypted connections over HTTPS. Some use dynamically generated domains or compromised websites. In cloud environments, stolen credentials may be abused.
Detection Focus:
* DNS requests to known C2 domains
* HTTP/S requests to suspicious script locations
* Unusual authentication patterns in cloud services
ESQL Queries:
// Known malicious DNS queries
FROM dns_logs*
| WHERE dns.question.name IN ("shaira1885.com", "pactchfilepacks.net23.net")
| KEEP timestamp, client.ip, dns.question.name, dns.resolved_ip
// Suspicious web paths in HTTP/S logs
FROM proxy_logs*
| WHERE url.path LIKE "%wp-admin/includes%" OR url.path LIKE "%uploadtm.php%"
| KEEP timestamp, client.ip, user.name, url.full, response.status_code, bytes_out
// Impossible travel (cloud credential abuse)
FROM azure_signin_logs*
| WHERE result_type == "Success"
| STATS uniq_countries = CARDINALITY(terms(location.country_or_region))
BY user.principalName, date_trunc('day', timestamp)
| WHERE uniq_countries > 1
Post-Infection Cloud Behavior
Konni may attempt to escalate from endpoint to cloud once credentials are stolen. Watch for:
- Azure AD impossible travel – same user logging in from different countries within a short window
- Suspicious app grants – OAuth tokens issued to unknown clients
- Legacy protocol abuse – IMAP or POP used unexpectedly
When correlated with endpoint infections, these signals often indicate adversary lateral movement or account takeover.
From Hypothesis to Hunt
Konni isn’t just another RAT. It’s a case study in stealth: blending scripting, abuse of legitimate binaries, and adaptive execution to stay hidden from traditional defenses. But stealth doesn’t mean invisible.
With host, network, and identity telemetry, and the flexible capabilities of Elastic Stack, defenders can catch even advanced threats like Konni — often at their most vulnerable moments.
At SofectaLabs, our job isn’t just to respond. It’s to go looking — using automation, data correlation, and deep TTP knowledge to uncover what others miss.
