Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

RunningRAT request parameters

Back
Idbaedfdf4-7cc8-45a1-81a9-065821628b83
RulenameRunningRAT request parameters
DescriptionThis detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.

Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.
SeverityHigh
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Version1.0.2
Arm templatebaedfdf4-7cc8-45a1-81a9-065821628b83.json
Deploy To Azure
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
relevantTechniques:
- T1041
- T1071.001
queryFrequency: 1d
id: baedfdf4-7cc8-45a1-81a9-065821628b83
name: RunningRAT request parameters
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
description: |
  'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
  Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'  
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
query: |
  let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
  CommonSecurityLog
  | where RequestMethod == "GET"
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  | where RequestURL has_any (runningRAT_parameters)  
kind: Scheduled
triggerOperator: gt
metadata:
  support:
    tier: Community
  author:
    name: Thomas McElroy
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
version: 1.0.2
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "properties": {
        "alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
        "customDetails": null,
        "description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
        "displayName": "RunningRAT request parameters",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
        "query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1071.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1041",
          "T1071"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}