feat: new rules related to rat software based on SigmaHQ#2841

Korving-F · Dec 23, 2022 · 21f5bf8 · 21f5bf8
1 parent 2714600
commit 21f5bf8
Show file tree

Hide file tree

Showing 3 changed files with 140 additions and 4 deletions.
diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml
@@ -0,0 +1,48 @@
+title: Remote Access Tool Services Have Been Installed - Security
+id: c8b00925-926c-47e3-beea-298fd563728e
+related:
+    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
+      type: similar
+status: experimental
+description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+author: Connor Martin, Nasreddine Bencherchali
+date: 2022/12/23
+tags:
+    - attack.persistence
+    - attack.t1543.003
+    - attack.t1569.002
+logsource:
+    product: windows
+    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
+detection:
+    selection:
+        EventID: 4697
+        ServiceFileName|contains:
+            # Based on https://github.com/SigmaHQ/sigma/pull/2841
+            - 'SSUService'
+            - 'SplashtopRemoteService' # https://www.splashtop.com/
+            - 'Atera'
+            - 'LogMeIn' # https://www.logmein.com/
+            - 'LMIGuardianSvc' # https://www.logmein.com/
+            - 'TeamViewer'
+            - 'RPCService' # https://www.remotepc.com/
+            - 'RPCPerformanceService' # https://www.remotepc.com/
+            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
+            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
+            - 'GoToMyPC' # https://get.gotomypc.com/
+            - 'monblanking'
+            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
+            - 'GoToAssist' # https://www.goto.com/it-management/resolve
+            - 'AmmyyAdmin' # https://www.ammyy.com/en/
+            - 'vncserver'
+            - 'Parsec'
+            - 'chromoting'
+            - 'Zoho'
+            - 'jumpcloud'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml
@@ -0,0 +1,50 @@
+title: Remote Access Tool Services Have Been Installed - System
+id: 1a31b18a-f00c-4061-9900-f735b96c99fc
+related:
+    - id: c8b00925-926c-47e3-beea-298fd563728e
+      type: similar
+status: experimental
+description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
+references:
+    - https://redcanary.com/blog/misbehaving-rats/
+author: Connor Martin, Nasreddine Bencherchali
+date: 2022/12/23
+tags:
+    - attack.persistence
+    - attack.t1543.003
+    - attack.t1569.002
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID:
+            - 7045
+            - 7036
+        ServiceName|contains:
+            # Based on https://github.com/SigmaHQ/sigma/pull/2841
+            - 'SSUService'
+            - 'SplashtopRemoteService' # https://www.splashtop.com/
+            - 'Atera'
+            - 'LogMeIn' # https://www.logmein.com/
+            - 'LMIGuardianSvc' # https://www.logmein.com/
+            - 'TeamViewer'
+            - 'RPCService' # https://www.remotepc.com/
+            - 'RPCPerformanceService' # https://www.remotepc.com/
+            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
+            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
+            - 'GoToMyPC' # https://get.gotomypc.com/
+            - 'monblanking'
+            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
+            - 'GoToAssist' # https://www.goto.com/it-management/resolve
+            - 'AmmyyAdmin' # https://www.ammyy.com/en/
+            - 'vncserver'
+            - 'Parsec'
+            - 'chromoting'
+            - 'Zoho'
+            - 'jumpcloud'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml
@@ -1,4 +1,4 @@
-title: Query To Remote Access Software Domain
+title: DNS Query To Remote Access Software Domain
 id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
 related:
     - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
@@ -17,9 +17,9 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
     - https://redcanary.com/blog/misbehaving-rats/
-author: frack113
+author: frack113, Connor Martin
 date: 2022/07/11
-modified: 2022/10/31
+modified: 2022/12/23
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -34,6 +34,44 @@ detection:
             - '.ammyy.com'
             - '.netsupportsoftware.com' # For NetSupport Manager RAT
             - 'remoteutilities.com' # Usage of Remote Utilities RAT
+            - '.net.anydesk.com'
+            - 'api.playanext.com'
+            - '.relay.splashtop.com'
+            - '.api.splashtop.com'
+            - 'app.atera.com'
+            - '.agentreporting.atera.com'
+            - '.pubsub.atera.com'
+            - 'logmeincdn.http.internapcdn.net'
+            - 'logmein-gateway.com'
+            - 'client.teamviewer.com'
+            - 'integratedchat.teamviewer.com'
+            - 'static.remotepc.com'
+            - '.n-able.com'
+            - 'comserver.corporate.beanywhere.com'
+            - '.swi-rc.com'
+            - '.swi-tc.com'
+            - 'telemetry.servers.qetqo.com'
+            - 'relay.screenconnect.com'
+            - 'control.connectwise.com'
+            - 'express.gotoassist.com'
+            - 'authentication.logmeininc.com'
+            - '.services.vnc.com'
+            - '.tmate.io'
+            - 'api.parsec.app'
+            - 'parsecusercontent.com'
+            - 'remotedesktop-pa.googleapis.com'
+            - '.logmein-gateway.com'
+            - 'secure.logmeinrescue.com'
+            - 'join.zoho.com'
+            - 'assist.zoho.com'
+            - '.zohoassist.com'
+            - 'downloads.zohocdn.com'
+            - 'agent.jumpcloud.com'
+            - 'kickstart.jumpcloud.com'
+            - 'cdn.kaseya.net'
+            - 'relay.kaseya.net'
+            - 'license.bomgar.com'
+            - '.beyondtrustcloud.com'
     filter:
         # Exclude browsers for legitimate visits of the domains mentioned above
         # Add missing browsers you use and exclude the ones you don't
@@ -50,5 +88,5 @@ detection:
             - '\CCleaner Browser\Application\CCleanerBrowser.exe'
     condition: selection and not filter
 falsepositives:
-    - FP may be caused in legitimate usage of the softwares mentioned above
+    - Legitimate usage of the softwares mentioned above
 level: medium