RAT-based malicious activities detection on enterprise internal networks

The detection of APT has recently become an urgent problem needing to be resolved. Attackers use Remote Access Trojan/Remote Administration Tools (RATs), which often bypass general security measures, and the traditional detection techniques don´t consider reconnaissance activities after RAT infections. We analyzed the behavior of the reconnaissance for this paper so that RAT-based malicious activities on internal networks can be divided from the operations of normal users. Based on the features of their behaviors, we propose a detection technique that monitors the communications on internal networks and extracts the communication sequences of the reconnaissance. The result from our evaluation showed that the proposed technique can detect 99.26 % of the experimental reconnaissance communications by using the real 34 RATs (29 families) and 4 SMB-based remote management methods, and also work without false-positive on an actual organization´s internal network.