Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. RunningRAT request parameters

RunningRAT request parameters

Back
Idbaedfdf4-7cc8-45a1-81a9-065821628b83
RulenameRunningRAT request parameters
DescriptionThis detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.

Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.
SeverityHigh
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Version1.0.2
Arm templatebaedfdf4-7cc8-45a1-81a9-065821628b83.json
Deploy To Azure
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
queryPeriod: 1d
kind: Scheduled
name: RunningRAT request parameters
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
tactics:
- Exfiltration
- CommandAndControl
description: |
  'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
  Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'  
severity: High
metadata:
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  source:
    kind: Community
  author:
    name: Thomas McElroy
tags:
- POLONIUM
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
queryFrequency: 1d
triggerThreshold: 0
version: 1.0.2
query: |
  let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
  CommonSecurityLog
  | where RequestMethod == "GET"
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  | where RequestURL has_any (runningRAT_parameters)  
relevantTechniques:
- T1041
- T1071.001
id: baedfdf4-7cc8-45a1-81a9-065821628b83
triggerOperator: gt