RunningRAT request parameters
| Id | baedfdf4-7cc8-45a1-81a9-065821628b83 |
| Rulename | RunningRAT request parameters |
| Description | This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host. |
| Severity | High |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1041 T1071.001 |
| Required data connectors | CheckPoint Fortinet PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml |
| Version | 1.0.2 |
| Arm template | baedfdf4-7cc8-45a1-81a9-065821628b83.json |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
- dataTypes:
- CommonSecurityLog
connectorId: Fortinet
- dataTypes:
- CommonSecurityLog
connectorId: CheckPoint
- dataTypes:
- CommonSecurityLog
connectorId: PaloAltoNetworks
severity: High
kind: Scheduled
name: RunningRAT request parameters
id: baedfdf4-7cc8-45a1-81a9-065821628b83
query: |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
queryPeriod: 1d
tags:
- POLONIUM
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
description: |
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'
version: 1.0.2
metadata:
author:
name: Thomas McElroy
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
triggerThreshold: 0
relevantTechniques:
- T1041
- T1071.001
entityMappings:
- fieldMappings:
- columnName: SourceIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: SourceHostName
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: RequestURL
identifier: Url
entityType: URL
queryFrequency: 1d
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"properties": {
"alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
"customDetails": null,
"description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
"displayName": "RunningRAT request parameters",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "RequestURL",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
"query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"subTechniques": [
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration"
],
"tags": [
"POLONIUM"
],
"techniques": [
"T1041",
"T1071"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}