RunningRAT request parameters

Back


Id	baedfdf4-7cc8-45a1-81a9-065821628b83
Rulename	RunningRAT request parameters
Description	This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.
Severity	High
Tactics	Exfiltration CommandAndControl
Techniques	T1041 T1071.001
Required data connectors	CheckPoint Fortinet PaloAltoNetworks Zscaler
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Version	1.0.1
Arm template	baedfdf4-7cc8-45a1-81a9-065821628b83.json

KQL

let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)

YAML

severity: High
triggerThreshold: 0
metadata:
  source:
    kind: Community
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Thomas McElroy
queryFrequency: 1d
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
id: baedfdf4-7cc8-45a1-81a9-065821628b83
version: 1.0.1
name: RunningRAT request parameters
kind: Scheduled
query: |
  let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
  CommonSecurityLog
  | where RequestMethod == "GET"
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  | where RequestURL has_any (runningRAT_parameters)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
queryPeriod: 1d
relevantTechniques:
- T1041
- T1071.001
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
description: |
  'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication
  presence of this alert means the RunningRAT implant is likely still executing on the source host.'  
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "RunningRAT request parameters",
        "description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\npresence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "CommandAndControl"
        ],
        "techniques": [
          "T1041",
          "T1071.001"
        ],
        "alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ],
            "entityType": "URL"
          }
        ],
        "tags": [
          "POLONIUM"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}