Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Sigma rule (View on GitHub)
1title: Atera Agent Installation
2id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
3status: test
4description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
5references:
6 - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
7author: Bhabesh Raj
8date: 2021-09-01
9modified: 2022-12-25
10tags:
11 - attack.command-and-control
12 - attack.t1219.002
13logsource:
14 service: application
15 product: windows
16detection:
17 selection:
18 EventID: 1033
19 Provider_Name: MsiInstaller
20 Message|contains: AteraAgent
21 condition: selection
22falsepositives:
23 - Legitimate Atera agent installation
24level: high
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- DNS Query To Remote Access Software Domain From Non-Browser App
- GoToAssist Temporary Installation Artefact