Giters

elastic / detection-rules

Home Page:https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution

ar3diu opened this issue · comments

commented

Link to rule

detection-rules/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Line 21 in f6e7994

name = "First Time Seen Commonly Abused Remote Access Tool Execution"

Description

While reading the RMM Tools section from the Red Canary's 2024 Threat Detection Report, I've noticed this rule doesn't have coverage for a few of them:

  • ASG Remote Desktop: process.name.caseless: "RDConsole.exe" or process.code_signature.subject_name: "Rocket Software, Inc."
  • BeAnywhere (not sure about this detection, I got the software from softpedia) : process.name.caseless: "BAConsoleApp.exe" or process.code_signature.subject_name: "Multiplicar Negocios - Actividades de Marketing Inovadoras Lda"
  • Domotz: (process.name.caseless: "domotz-windows-x64-10.exe" and process.code_signature.subject_name: "DOMOTZ INC.") or (process.name.caseless: "domotzagent.exe" and process.code_signature.exists: false)
  • DWAgent: process.name.caseless: "dwagsvc.exe" or process.code_signature.subject_name:"DWSNET OÜ"
  • Fixme.it: process.name.caseless: "TiLauncher.exe" or process.code_signature.subject_name:"Techinline Limited"
  • Fleetdeck.io: process.name.caseless: "fleetdeck_commander_launcher.exe" or process.code_signature.subject_name:"FleetDeck Inc"

That's all I personally tested so far, but actually Red Canary has enough information here that can be used to improve the coverage of this rule: https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json