SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (AR18-352A) centered around a legitimate open-source remote administration tool (RAT) referred to as “Quasar,” has been observed being used maliciously by Advanced Pe­rsistent Threat (APT) actors to facilitate network exploitation.

Quasar uses a client-server architecture that enables one user to remotely access many clients. The server is responsible for creating client binaries and managing client connections. Users then interact with connected clients through the server’s graphical user interface (GUI).

These common attacks have been proven across healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defense and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly developed playbook methods related to AR18-352A

Playbook # 2134 - Transfer of QuasarRAT v1.3.0.0 over HTTP/S (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2135 - Email QuasarRAT v1.3.0.0 as a ZIP attachment (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2136 - Email QuasarRAT v1.3.0.0 as a ZIP attachment (Lateral Movement)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2137 - Write of QuasarRAT to disk (Host-Level)

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Playbook # 2138 - Transfer of QuasarRAT v1.3.0.0 over HTTP/S (Infiltration)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 2140 - Communication with C&C using QuasarRAT v1.3.0.0 Protocol (Infiltration)

  • Network Controls - Are security controls in place to prevent the C&C communication from taking place?

Existing playbook methods related to AR18-352A

Playbook # 1269 - Creating Windows schedule task (schtasks) (Host-Level)

  • Endpoint Controls - Are security controls or hardening in place to prevent creation of Windows scheduled tasks?

Playbook # 272 - QuasarRAT Communication and Remote Shell (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the C&C communication from taking place?

Playbook # 1057 - QuasarRAT Communication and Remote Shell (Infiltration)

  • Network Controls - Are security controls in place to prevent the C&C communication from taking place?

Additional breach methods added recently include:


Subscribe to blog post