AteraAgent malicious installations

calendar Aug 2, 2024 · attack.execution attack.t1059.006  ·
Share on: linkedin copy

Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used to register a non-business email.

Sigma rule (View on GitHub)

 1title: AteraAgent malicious installations
 2id: fb0f2d48-269d-473e-9afc-c540a16a990f
 3description: Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used to register a non-business email.
 4status: experimental
 5date: 2022-09-12
 6modified: 2024-02-23
 7author: 'kostastsale, TheDFIRReport'
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection:
13        Image|endswith: '\AteraAgent.exe'
14        CommandLine|contains|all:
15            - '/i '
16            - 'IntegratorLogin='
17        CommandLine|contains:
18            # Feel free to modify the email addresses to fit your needs
19            - '@gmail.com'
20            - '@hotmail.com'
21            - '@hotmail.com'
22            - '@yandex.ru'
23            - '@mail.ru'
24            - '@outlook.com'
25            - '@protonmail.com'
26            - '@dropmail.me'
27    condition: selection
28falsepositives:
29    - Unlikely
30level: high
31tags:
32    - attack.execution
33    - attack.t1059.006
yaml

Related rules

to-top