← Library
kqlMITfrom Azure/Azure-Sentinel

RunningRAT request parameters

'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1041T1071.001
Rule sourceDetections/CommonSecurityLog/CreepySnailURLParameters.yaml
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)