Renamed Remote Utilities RAT (RURAT) Execution

Hunt Hypothesis

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Detection Rule

Sigma (Original)

title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
    - attack.collection
    - attack.command-and-control
    - attack.discovery
    - attack.stealth
    - attack.s0592
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Product: 'Remote Utilities'
    filter:
        Image|endswith:
            - '\rutserv.exe'
            - '\rfusclient.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessFileProduct =~ "Remote Utilities" and (not((TargetProcessName endswith "\\rutserv.exe" or TargetProcessName endswith "\\rfusclient.exe")))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Collection
• Tactic: Command and Control
• Tactic: Discovery

References

• https://redcanary.com/blog/misbehaving-rats/
• SigmaHQ Rule