Remote Access Tool - RURAT Execution From Unusual Location
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Sigma rule (View on GitHub)
1title: Remote Access Tool - RURAT Execution From Unusual Location
2id: e01fa958-6893-41d4-ae03-182477c5e77d
3status: test
4description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/19
9modified: 2023/03/05
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith:
18 - '\rutserv.exe'
19 - '\rfusclient.exe'
20 - Product: 'Remote Utilities'
21 filter:
22 Image|startswith:
23 - 'C:\Program Files\Remote Utilities'
24 - 'C:\Program Files (x86)\Remote Utilities'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- Arbitrary File Download Via MSPUB.EXE
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Directory Removal Via Rmdir
- EventLog EVTX File Deleted