Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. RunningRAT request parameters

RunningRAT request parameters

Back
Idbaedfdf4-7cc8-45a1-81a9-065821628b83
RulenameRunningRAT request parameters
DescriptionThis detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.

Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.
SeverityHigh
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Version1.0.2
Arm templatebaedfdf4-7cc8-45a1-81a9-065821628b83.json
Deploy To Azure
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)

relevantTechniques:
- T1041
- T1071.001
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
- entityType: URL
  fieldMappings:
  - columnName: RequestURL
    identifier: Url
version: 1.0.2
id: baedfdf4-7cc8-45a1-81a9-065821628b83
severity: High
kind: Scheduled
queryFrequency: 1d
description: |
  'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
  Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'  
metadata:
  source:
    kind: Community
  support:
    tier: Community
  author:
    name: Thomas McElroy
  categories:
    domains:
    - Security - Others
requiredDataConnectors:
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
triggerOperator: gt
name: RunningRAT request parameters
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
triggerThreshold: 0
queryPeriod: 1d
query: |
  let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
  CommonSecurityLog
  | where RequestMethod == "GET"
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  | where RequestURL has_any (runningRAT_parameters)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml