SpankRAT Exploits Windows Explorer Processes for Stealth and Delayed Detection + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

A newly identified two-component Remote Access Trojan (RAT) toolkit built in Rust, dubbed SpankRAT, is being used by threat actors to abuse legitimate Windows processes, bypass reputation-based security controls, and maintain persistent access to compromised environments while largely evading detection on VirusTotal. Because malicious network activity originates from legitimate Windows binaries, the toolkit can evade reputation-based detection controls and be deprioritized during triage, drastically reducing SOC visibility and increasing the risk of missed compromise.

Learning Objectives

• Understand the core evasion mechanisms employed by SpankRAT, including process hollowing and the abuse of trusted Windows executables like `explorer.exe`
  – Learn to detect process injection artifacts using Sysmon Event ID 8 and custom Sigma rules
• Implement defensive hardening measures including Attack Surface Reduction (ASR) rules and memory integrity protections

You Should Know

1. Understanding SpankRAT’s Core Evasion Technique: Process Hollowing

SpankRAT leverages a sophisticated code injection technique known as Process Hollowing (T1055.012) to execute malicious code under the guise of legitimate Windows processes. This technique is particularly effective because the network traffic and system calls originate from a trusted binary, causing security tools to deprioritize or ignore the activity entirely during triage.

Process hollowing works by creating a legitimate Windows process in a suspended state, unmapping (or “hollowing out”) its original executable code from memory, and then writing malicious shellcode into the same memory space before resuming the process. When executed correctly, the malicious code runs under the identity of the trusted parent process—commonly explorer.exe, notepad.exe, or svchost.exe—making behavioral detection exceptionally difficult.

How SpankRAT Implements Process Hollowing:

The Rust-based toolkit follows this sequence:

1. Process Creation: The malware calls `CreateProcessW` with the `CREATE_SUSPENDED` flag to spawn a legitimate Windows binary (e.g., C:\Windows\explorer.exe) in a suspended state.

2. Memory Hollowing: Using `ZwUnmapViewOfSection` or NtUnmapViewOfSection, the malware removes the original executable image from the newly created process’s memory space.

3. Payload Injection: The malicious Rust shellcode is written into the hollowed process memory using `VirtualAllocEx` (with `PAGE_EXECUTE_READWRITE` permissions) followed by WriteProcessMemory.

4. Thread Resumption: `ResumeThread` is called to begin execution of the malicious payload within the trusted process context.

Detection Commands for SOC Analysts:

To detect process hollowing attempts in your environment, deploy Sysmon with configuration that logs process creation and remote thread creation events:

<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">explorer.exe</CommandLine>
</ProcessCreate>
<CreateRemoteThread onmatch="include">
<TargetImage condition="contains">explorer.exe</TargetImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>

Query for suspicious `explorer.exe` behavior using PowerShell:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | 
Where-Object {$<em>.Message -like "explorer.exe" -and $</em>.Message -like "suspended"}

1. WebDAV as an Initial Infection Vector for RAT Delivery

Beyond process injection, attackers are increasingly abusing the legacy WebDAV (Web-based Distributed Authoring and Versioning) protocol to deliver SpankRAT and other RAT payloads directly through Windows File Explorer, bypassing traditional browser-based security controls. This technique has been observed in active campaigns since February 2024, with threat actors frequently exploiting Cloudflare Tunnel demo accounts to host malicious WebDAV servers.

The attack chain works as follows:

Step-by-Step WebDAV Exploitation:

1. Victim Receives Malicious Link: An attacker sends a WebDAV URL (e.g., \\malicious-server@SSL\share\payload.exe) via phishing email, instant message, or compromised website.

2. Windows Explorer Auto-Execution: When the victim clicks the link, Windows File Explorer automatically attempts to connect to the WebDAV share using the victim’s NTLM credentials—without any browser-based warnings or sandboxing.

3. Payload Download and Execution: The WebDAV server responds with a malicious executable or LNK shortcut file. Windows Explorer downloads and executes the file with the same privileges as the logged-in user.

4. Persistence and Injection: The initial payload then deploys SpankRAT’s two-component Rust toolkit, which proceeds with process hollowing into `explorer.exe` for long-term stealth.

Detection Rules for WebDAV Abuse:

Monitor for suspicious WebDAV network connections using PowerShell:

Get-NetTCPConnection -State Established | 
Where-Object {$<em>.LocalPort -eq 445 -or $</em>.RemotePort -eq 445} | 
Select-Object LocalAddress, RemoteAddress, OwningProcess

Create a Sigma rule to detect WebDAV-based execution:

title: Suspicious WebDAV Execution via Explorer
status: experimental
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: 'C:\Windows\explorer.exe'
CommandLine|contains:
- '\\@SSL\'
- '\\@80\'
- '\\@443\'
condition: selection

1. Comprehensive Sysmon and EDR Configuration for Injection Detection

Given that SpankRAT’s primary evasion technique relies on process injection, organizations must implement robust logging and detection controls. Sysmon Event ID 8 (CreateRemoteThread) is critical for identifying cross-process thread creation—a hallmark of process injection.

Sysmon Configuration for Production Environments:

Below is a production-ready Sysmon configuration that minimizes noise while capturing malicious injection patterns:

<Sysmon>
<EventFiltering>
<!-- Monitor all process creation -->
<ProcessCreate onmatch="include"/>

<!-- Monitor remote thread creation with filtering -->
<CreateRemoteThread onmatch="exclude">
<!-- Exclude legitimate Windows processes creating threads in themselves -->
<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
<TargetImage condition="is">C:\Windows\System32\svchost.exe</TargetImage>
</CreateRemoteThread>

<CreateRemoteThread onmatch="include">
<!-- Alert when non-system processes inject into critical system processes -->
<TargetImage condition="contains">explorer.exe</TargetImage>
<SourceImage condition="contains">Temp</SourceImage>
</CreateRemoteThread>

<!-- Process memory access monitoring for credential dumping -->
<ProcessAccess onmatch="include">
<TargetImage condition="contains">lsass.exe</TargetImage>
<CallTrace condition="contains">dbghelp.dll|dbgcore.dll</CallTrace>
</ProcessAccess>
</EventFiltering>
</Sysmon>

Deploy Sysmon using:

 Download latest Sysmon
Invoke-WebRequest -Uri 'https://live.sysinternals.com/Sysmon64.exe' -OutFile "$env:TEMP\Sysmon64.exe"

Install with configuration
& "$env:TEMP\Sysmon64.exe" -accepteula -i sysmon_config.xml

Detecting Process Hollowing via Memory Forensics (Volatility):

For advanced incident response, use Volatility to detect hollowed processes:

 Identify suspicious processes with mismatched PEB information
volatility -f memory.dump --profile=Win10x64_19041 malfind

Dump and analyze the memory of suspicious explorer.exe instances
volatility -f memory.dump --profile=Win10x64_19041 memdump -p 1234 -D ./output/

4. Credential Dumping and Lateral Movement After Injection

Once SpankRAT successfully injects into `explorer.exe` or lsass.exe, the toolkit moves to credential dumping (MITRE T1003) and lateral movement. The Rust-based malware attempts to access the Local Security Authority Subsystem Service (LSASS) process memory to extract plaintext passwords, NTLM hashes, and Kerberos tickets for privilege escalation.

Detection Commands for LSASS Access:

Monitor for unauthorized LSASS process access using built-in Windows auditing:

 Enable LSASS process auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Access" /success:enable

Query for LSASS access events (Event ID 4656)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | 
Where-Object {$<em>.Message -like "lsass.exe"} | 
Select-Object TimeCreated, @{Name='Process';Expression={$</em>.Properties[bash].Value}}, @{Name='Target';Expression={$_.Properties[bash].Value}}

Credential Guard Hardening:

To block credential dumping attempts, enable Microsoft Defender Credential Guard:

 Enable Virtualization-Based Security and Credential Guard
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value 1

Reboot to apply changes
Restart-Computer -Force

1. Attack Surface Reduction (ASR) Rules for RAT Mitigation

Microsoft Defender’s Attack Surface Reduction (ASR) rules provide an effective layer of defense against SpankRAT’s process injection and WebDAV delivery techniques. ASR blocks common malware behaviors such as credential theft, Office macro abuse, and suspicious process creation.

Critical ASR Rules to Enable:

| Rule GUID | Rule Description | Protection Against |

|–|–|–|

| `d4f940ab-401b-4efc-aadc-ad5f3c50688a` | Block executable files from running unless they meet prevalence, age, or trusted list criteria | WebDAV-delivered unknown payloads |
| `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Block credential stealing from the Windows local security authority subsystem (lsass.exe) | LSASS credential dumping |
| `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550` | Block process creations originating from PSExec and WMI commands | Lateral movement attempts |

Enable ASR Rules via PowerShell:

 Connect to Defender for Endpoint
Set-MpPreference -EnableControlledFolderAccess Enabled

Enable specific ASR rules
Add-MpPreference -AttackSurfaceReductionRules_Ids "d4f940ab-401b-4efc-aadc-ad5f3c50688a","9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" -AttackSurfaceReductionRules_Actions Enabled

Set ASR to audit mode first to test compatibility
Add-MpPreference -AttackSurfaceReductionRules_Ids "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" -AttackSurfaceReductionRules_Actions AuditMode

Monitoring ASR Block Events:

ASR generates Event ID 1121 for blocks and 1122 for audits. Query these events using PowerShell:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1121,1122} | 
Select-Object TimeCreated, @{Name='Rule';Expression={$<em>.Properties[bash].Value}}, @{Name='Process';Expression={$</em>.Properties[bash].Value}}

What Undercode Say

• Trusted processes are not inherently safe: SpankRAT demonstrates that security tools relying solely on reputation-based detection fail when malicious activity originates from legitimate Windows binaries like explorer.exe. Behavioral detection and process ancestry analysis are no longer optional.

• Memory forensics and endpoint logging are essential defenses: Organizations without Sysmon, EDR telemetry, or memory capture capabilities will remain blind to process hollowing attacks. Investing in forensic readiness—including Sysmon deployment, Windows Event Log forwarding, and memory acquisition tools—is critical for detecting RATs like SpankRAT before lateral movement occurs.

• WebDAV represents a persistent legacy risk: The continued abuse of the WebDAV protocol for RAT delivery highlights how legacy Windows features become attack surfaces. Blocking outbound WebDAV connections at the firewall or disabling the WebDAV Redirector service (wkssvc and webclient) significantly reduces exposure to this infection vector.

• Rust-based malware is trending upward: SpankRAT’s use of Rust for its two-component architecture reflects a broader shift toward memory-safe languages in malware development, which complicates reverse engineering and static detection. Security teams must update their detection libraries to account for Rust-compiled binaries and their unique import hashing patterns.

• Combined detection strategies win: No single control detects SpankRAT. A layered approach combining Sysmon event monitoring, ASR rules, Credential Guard, WebDAV restrictions, and regular memory forensics exercises provides the best defense against this emerging threat.

Prediction

SpankRAT represents a template for future RAT development: Rust-based, two-component design, process hollowing into explorer.exe, and WebDAV delivery. As source code for these techniques becomes commoditized on underground forums, we expect a surge in low-sophistication threat actors deploying SpankRAT variants. Organizations that fail to implement behavioral detection, restrict WebDAV access, and enable Credential Guard will face significant breach risks. Within six to twelve months, Microsoft will likely release a security update modifying `explorer.exe` integrity checks to detect hollowed processes, but until then, SOC teams must rely on the detection and hardening strategies outlined above.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky