RunningRAT request parameters
| Id | baedfdf4-7cc8-45a1-81a9-065821628b83 |
| Rulename | RunningRAT request parameters |
| Description | This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host. |
| Severity | High |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1041 T1071.001 |
| Required data connectors | CheckPoint Fortinet PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml |
| Version | 1.0.1 |
| Arm template | baedfdf4-7cc8-45a1-81a9-065821628b83.json |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
triggerOperator: gt
queryFrequency: 1d
description: |
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication
presence of this alert means the RunningRAT implant is likely still executing on the source host.'
version: 1.0.1
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
queryPeriod: 1d
name: RunningRAT request parameters
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
id: baedfdf4-7cc8-45a1-81a9-065821628b83
tags:
- POLONIUM
tactics:
- Exfiltration
- CommandAndControl
metadata:
source:
kind: Community
author:
name: Thomas McElroy
categories:
domains:
- Security - Others
support:
tier: Community
relevantTechniques:
- T1041
- T1071.001
severity: High
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: Url
columnName: RequestURL
entityType: URL
query: |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"properties": {
"alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
"customDetails": null,
"description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\npresence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
"displayName": "RunningRAT request parameters",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "RequestURL",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
"query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration"
],
"tags": [
"POLONIUM"
],
"techniques": [
"T1041",
"T1071"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}