Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Sigma rule (View on GitHub)

 1title: Renamed Remote Utilities RAT (RURAT) Execution
 2id: 9ef27c24-4903-4192-881a-3adde7ff92a5
 3status: test
 4description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
 5references:
 6    - https://redcanary.com/blog/misbehaving-rats/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-09-19
 9modified: 2023-02-03
10tags:
11    - attack.defense-evasion
12    - attack.collection
13    - attack.command-and-control
14    - attack.discovery
15    - attack.s0592
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Product: 'Remote Utilities'
22    filter:
23        Image|endswith:
24            - '\rutserv.exe'
25            - '\rfusclient.exe'
26    condition: selection and not filter
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top