Renamed Remote Utilities RAT (RURAT) Execution

Aug 12, 2024 · attack.defense-evasion attack.collection attack.command-and-control attack.discovery attack.s0592 ·

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Sigma rule (View on GitHub)

 1title: Renamed Remote Utilities RAT (RURAT) Execution
 2id: 9ef27c24-4903-4192-881a-3adde7ff92a5
 3status: test
 4description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
 5references:
 6    - https://redcanary.com/blog/misbehaving-rats/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-09-19
 9modified: 2023-02-03
10tags:
11    - attack.defense-evasion
12    - attack.collection
13    - attack.command-and-control
14    - attack.discovery
15    - attack.s0592
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Product: 'Remote Utilities'
22    filter:
23        Image|endswith:
24            - '\rutserv.exe'
25            - '\rfusclient.exe'
26    condition: selection and not filter
27falsepositives:
28    - Unknown
29level: medium

References

Remote access tool or trojan? How to detect misbehaving RATs

Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.

Read More

Renamed Remote Utilities RAT (RURAT) Execution

Sigma rule (View on GitHub)

References

Remote access tool or trojan? How to detect misbehaving RATs

Related rules