[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
ar3diu opened this issue · comments
ar3diu commented
Link to rule
Description
While reading the RMM Tools section from the Red Canary's 2024 Threat Detection Report, I've noticed this rule doesn't have coverage for a few of them:
- ASG Remote Desktop:
process.name.caseless: "RDConsole.exe" or process.code_signature.subject_name: "Rocket Software, Inc."
- BeAnywhere (not sure about this detection, I got the software from softpedia) :
process.name.caseless: "BAConsoleApp.exe" or process.code_signature.subject_name: "Multiplicar Negocios - Actividades de Marketing Inovadoras Lda"
- Domotz:
(process.name.caseless: "domotz-windows-x64-10.exe" and process.code_signature.subject_name: "DOMOTZ INC.") or (process.name.caseless: "domotzagent.exe" and process.code_signature.exists: false)
- DWAgent:
process.name.caseless: "dwagsvc.exe" or process.code_signature.subject_name:"DWSNET OÜ"
- Fixme.it:
process.name.caseless: "TiLauncher.exe" or process.code_signature.subject_name:"Techinline Limited"
- Fleetdeck.io:
process.name.caseless: "fleetdeck_commander_launcher.exe" or process.code_signature.subject_name:"FleetDeck Inc"
That's all I personally tested so far, but actually Red Canary has enough information here that can be used to improve the coverage of this rule: https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json