RunningRAT request parameters
Id | baedfdf4-7cc8-45a1-81a9-065821628b83 |
Rulename | RunningRAT request parameters |
Description | This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host. |
Severity | High |
Tactics | Exfiltration CommandAndControl |
Techniques | T1041 T1071.001 |
Required data connectors | CheckPoint Fortinet PaloAltoNetworks Zscaler |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml |
Version | 1.0.1 |
Arm template | baedfdf4-7cc8-45a1-81a9-065821628b83.json |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
severity: High
triggerThreshold: 0
metadata:
source:
kind: Community
support:
tier: Community
categories:
domains:
- Security - Others
author:
name: Thomas McElroy
queryFrequency: 1d
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
id: baedfdf4-7cc8-45a1-81a9-065821628b83
version: 1.0.1
name: RunningRAT request parameters
kind: Scheduled
query: |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
queryPeriod: 1d
relevantTechniques:
- T1041
- T1071.001
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
tags:
- POLONIUM
description: |
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication
presence of this alert means the RunningRAT implant is likely still executing on the source host.'
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "RunningRAT request parameters",
"description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\npresence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
"severity": "High",
"enabled": true,
"query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"CommandAndControl"
],
"techniques": [
"T1041",
"T1071.001"
],
"alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "RequestURL",
"identifier": "Url"
}
],
"entityType": "URL"
}
],
"tags": [
"POLONIUM"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
"templateVersion": "1.0.1"
}
}
]
}