Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

RunningRAT request parameters

Back
Idbaedfdf4-7cc8-45a1-81a9-065821628b83
RulenameRunningRAT request parameters
DescriptionThis detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication

presence of this alert means the RunningRAT implant is likely still executing on the source host.
SeverityHigh
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071.001
Required data connectorsCheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Version1.0.1
Arm templatebaedfdf4-7cc8-45a1-81a9-065821628b83.json
Deploy To Azure
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
name: RunningRAT request parameters
triggerOperator: gt
relevantTechniques:
- T1041
- T1071.001
query: |
  let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
  CommonSecurityLog
  | where RequestMethod == "GET"
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  | where RequestURL has_any (runningRAT_parameters)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
description: |
  'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication
  presence of this alert means the RunningRAT implant is likely still executing on the source host.'  
triggerThreshold: 0
tags:
- POLONIUM
id: baedfdf4-7cc8-45a1-81a9-065821628b83
kind: Scheduled
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Thomas McElroy
  support:
    tier: Community
severity: High
version: 1.0.1
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
queryFrequency: 1d
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
tactics:
- Exfiltration
- CommandAndControl
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/baedfdf4-7cc8-45a1-81a9-065821628b83')]",
      "properties": {
        "alertRuleTemplateName": "baedfdf4-7cc8-45a1-81a9-065821628b83",
        "customDetails": null,
        "description": "'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\npresence of this alert means the RunningRAT implant is likely still executing on the source host.'\n",
        "displayName": "RunningRAT request parameters",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml",
        "query": "let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\nCommonSecurityLog\n| where RequestMethod == \"GET\"\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n| where RequestURL has_any (runningRAT_parameters)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1041",
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}