Elastic Security Detection Rules

First Time Seen Commonly Abused Remote Access Tool Execution

Last updated 10 days ago on 2025-02-21
Created 2 years ago on 2023-04-03

About

Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: Elastic EndgameData Source: Windows Security Event LogsData Source: SysmonLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

Remote Access Software (T1219)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*endgame-*winlogbeat-*logs-windows.forwarded*logs-windows.sysmon_operational-*logs-system.security*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

system(opens in a new tab or window)

Query
host.os.type: "windows" and

   event.category: "process" and event.type : "start" and

    (
        process.code_signature.subject_name : (
            "Action1 Corporation" or
            "AeroAdmin LLC" or
            "Ammyy LLC" or
            "Atera Networks Ltd" or
            "AWERAY PTE. LTD." or
            "BeamYourScreen GmbH" or
            "Bomgar Corporation" or
            "DUC FABULOUS CO.,LTD" or
            "DOMOTZ INC." or
            "DWSNET OÜ" or
            "FleetDeck Inc" or
            "GlavSoft LLC" or
            "GlavSoft LLC." or
            "Hefei Pingbo Network Technology Co. Ltd" or
            "IDrive, Inc." or
            "IMPERO SOLUTIONS LIMITED" or
            "Instant Housecall" or
            "ISL Online Ltd." or
            "LogMeIn, Inc." or
            "Monitoring Client" or
            "MMSOFT Design Ltd." or
            "Nanosystems S.r.l." or
            "NetSupport Ltd" or
            "NinjaRMM, LLC" or
            "Parallels International GmbH" or
            "philandro Software GmbH" or
            "Pro Softnet Corporation" or
            "RealVNC" or
            "RealVNC Limited" or
            "BreakingSecurity.net" or
            "Remote Utilities LLC" or
            "Rocket Software, Inc." or
            "SAFIB" or
            "Servably, Inc." or
            "ShowMyPC INC" or
            "Splashtop Inc." or
            "Superops Inc." or
            "TeamViewer" or
            "TeamViewer GmbH" or
            "TeamViewer Germany GmbH" or
            "Techinline Limited" or
            "uvnc bvba" or
            "Yakhnovets Denis Aleksandrovich IP" or
            "Zhou Huabing"
        ) or

        process.name.caseless : (
            AA_v*.exe or
            "AeroAdmin.exe" or
            "AnyDesk.exe" or
            "apc_Admin.exe" or
            "apc_host.exe" or
            "AteraAgent.exe" or
            aweray_remote*.exe or
            "AweSun.exe" or
            "B4-Service.exe" or
            "BASupSrvc.exe" or
            "bomgar-scc.exe" or
            "domotzagent.exe" or
            "domotz-windows-x64-10.exe" or
            "dwagsvc.exe" or
            "DWRCC.exe" or
            "ImperoClientSVC.exe" or
            "ImperoServerSVC.exe" or
            "ISLLight.exe" or
            "ISLLightClient.exe" or
            fleetdeck_commander*.exe or
            "getscreen.exe" or
            "LMIIgnition.exe" or
            "LogMeIn.exe" or
            "ManageEngine_Remote_Access_Plus.exe" or
            "Mikogo-Service.exe" or
            "NinjaRMMAgent.exe" or
            "NinjaRMMAgenPatcher.exe" or
            "ninjarmm-cli.exe" or
            "r_server.exe" or
            "radmin.exe" or
            "radmin3.exe" or
            "RCClient.exe" or
            "RCService.exe" or
            "RemoteDesktopManager.exe" or
            "RemotePC.exe" or
            "RemotePCDesktop.exe" or
            "RemotePCService.exe" or
            "rfusclient.exe" or
            "ROMServer.exe" or
            "ROMViewer.exe" or
            "RPCSuite.exe" or
            "rserver3.exe" or
            "rustdesk.exe" or
            "rutserv.exe" or
            "rutview.exe" or
            "saazapsc.exe" or
            ScreenConnect*.exe or
            "smpcview.exe" or
            "spclink.exe" or
            "Splashtop-streamer.exe" or
            "SRService.exe" or
            "strwinclt.exe" or
            "Supremo.exe" or
            "SupremoService.exe" or
            "teamviewer.exe" or
            "TiClientCore.exe" or
            "TSClient.exe" or
            "tvn.exe" or
            "tvnserver.exe" or
            "tvnviewer.exe" or
            UltraVNC*.exe or
            UltraViewer*.exe or
            "vncserver.exe" or
            "vncviewer.exe" or
            "winvnc.exe" or
            "winwvc.exe" or
            "Zaservice.exe" or
            "ZohoURS.exe"
        ) or
        process.name : (
            AA_v*.exe or
            "AeroAdmin.exe" or
            "AnyDesk.exe" or
            "apc_Admin.exe" or
            "apc_host.exe" or
            "AteraAgent.exe" or
            aweray_remote*.exe or
            "AweSun.exe" or
            "B4-Service.exe" or
            "BASupSrvc.exe" or
            "bomgar-scc.exe" or
            "domotzagent.exe" or
            "domotz-windows-x64-10.exe" or
            "dwagsvc.exe" or
            "DWRCC.exe" or
            "ImperoClientSVC.exe" or
            "ImperoServerSVC.exe" or
            "ISLLight.exe" or
            "ISLLightClient.exe" or
            fleetdeck_commander*.exe or
            "getscreen.exe" or
            "LMIIgnition.exe" or
            "LogMeIn.exe" or
            "ManageEngine_Remote_Access_Plus.exe" or
            "Mikogo-Service.exe" or
            "NinjaRMMAgent.exe" or
            "NinjaRMMAgenPatcher.exe" or
            "ninjarmm-cli.exe" or
            "r_server.exe" or
            "radmin.exe" or
            "radmin3.exe" or
            "RCClient.exe" or
            "RCService.exe" or
            "RemoteDesktopManager.exe" or
            "RemotePC.exe" or
            "RemotePCDesktop.exe" or
            "RemotePCService.exe" or
            "rfusclient.exe" or
            "ROMServer.exe" or
            "ROMViewer.exe" or
            "RPCSuite.exe" or
            "rserver3.exe" or
            "rustdesk.exe" or
            "rutserv.exe" or
            "rutview.exe" or
            "saazapsc.exe" or
            ScreenConnect*.exe or
            "smpcview.exe" or
            "spclink.exe" or
            "Splashtop-streamer.exe" or
            "SRService.exe" or
            "strwinclt.exe" or
            "Supremo.exe" or
            "SupremoService.exe" or
            "teamviewer.exe" or
            "TiClientCore.exe" or
            "TSClient.exe" or
            "tvn.exe" or
            "tvnserver.exe" or
            "tvnviewer.exe" or
            UltraVNC*.exe or
            UltraViewer*.exe or
            "vncserver.exe" or
            "vncviewer.exe" or
            "winvnc.exe" or
            "winwvc.exe" or
            "Zaservice.exe" or
            "ZohoURS.exe"
        )
	) and

	not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.")

Install detection rules in Elastic Security

Detect First Time Seen Commonly Abused Remote Access Tool Execution in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).