AteraAgent malicious installations
Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used to register a non-business email.
Sigma rule (View on GitHub)
1title: AteraAgent malicious installations
2id: fb0f2d48-269d-473e-9afc-c540a16a990f
3description: Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used to register a non-business email.
4status: experimental
5date: 2022-09-12
6modified: 2024-02-23
7author: 'kostastsale, TheDFIRReport'
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '\AteraAgent.exe'
15 CommandLine|contains|all:
16 - '/i '
17 - 'IntegratorLogin='
18 selection2:
19 CommandLine|contains:
20 # Feel free to modify the email addresses to fit your needs
21 - '@gmail.com'
22 - '@hotmail.com'
23 - '@hotmail.com'
24 - '@yandex.ru'
25 - '@mail.ru'
26 - '@outlook.com'
27 - '@protonmail.com'
28 - '@dropmail.me'
29 condition: selection1 and selection2
30falsepositives:
31 - Unlikely
32level: high
33tags:
34 - attack.execution
35 - attack.t1059.006
Related rules
- Custom Cobalt Strike Command Execution
- Execution of ZeroLogon PoC executable
- Nullsoft Scriptable Installer Script (NSIS) execution
- Nullsoft Scriptable Installer Script (NSIS) file creation
- Autoit3.exe Executable File Creation Matching DarkGate Behavior