Remote Access Tool - RURAT Execution From Unusual Location
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Sigma rule (View on GitHub)
1title: Remote Access Tool - RURAT Execution From Unusual Location
2id: e01fa958-6893-41d4-ae03-182477c5e77d
3status: test
4description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-19
9modified: 2023-03-05
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith:
18 - '\rutserv.exe'
19 - '\rfusclient.exe'
20 - Product: 'Remote Utilities'
21 filter:
22 Image|startswith:
23 - 'C:\Program Files\Remote Utilities'
24 - 'C:\Program Files (x86)\Remote Utilities'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity