[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution #3545

w0rk3r · 2024-03-28T14:42:31Z

Issues

Resolves #3518

Summary

Updates the rule with more signers and processes from https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json and telem.

Also (trying to) contributed back to the reference: redcanaryco/surveyor#160

…ution

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

terrancedejesus

Great work 👍🏽
Nothing that I can find to tune FPs out, simply because we are looking for legitimate signed RMM.

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Aegrah

Make sure to resolve @Samirbous's comment, prior to merging - but from my point of view LGTM.

Samirbous

we need to compensate with one for sysmon/4688 based on process.name

Samirbous

👍

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

…t_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Aegrah

I agree with narrowing the index patterns, LGTM

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

…ution (#3545) * [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution * Update command_and_control_new_terms_commonly_abused_rat_execution.toml * Update command_and_control_new_terms_commonly_abused_rat_execution.toml * Update command_and_control_new_terms_commonly_abused_rat_execution.toml * Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 4ab7c9b)

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Exec…

2634aa6

…ution

w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Mar 28, 2024

w0rk3r requested review from brokensound77, DefSecSentinel, Samirbous, Aegrah and terrancedejesus March 28, 2024 14:42

w0rk3r self-assigned this Mar 28, 2024

w0rk3r commented Mar 28, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Show resolved Hide resolved

w0rk3r added 2 commits March 28, 2024 14:23

Update command_and_control_new_terms_commonly_abused_rat_execution.toml

f2a5079

Update command_and_control_new_terms_commonly_abused_rat_execution.toml

0dff7ad

terrancedejesus reviewed Mar 28, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Show resolved Hide resolved

terrancedejesus reviewed Mar 28, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Show resolved Hide resolved

terrancedejesus approved these changes Mar 28, 2024

View reviewed changes

Merge branch 'main' into rat_tuning

c79d5c2

Aegrah reviewed Apr 2, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Show resolved Hide resolved

Merge branch 'main' into rat_tuning

43560ce

w0rk3r requested a review from Aegrah April 2, 2024 09:35

Merge branch 'main' into rat_tuning

42ad169

Aegrah approved these changes Apr 2, 2024

View reviewed changes

Samirbous approved these changes Apr 2, 2024

View reviewed changes

w0rk3r added 2 commits April 2, 2024 10:07

Merge branch 'main' into rat_tuning

ffa04c0

Update command_and_control_new_terms_commonly_abused_rat_execution.toml

759abdf

w0rk3r requested review from terrancedejesus, Samirbous and Aegrah April 2, 2024 13:16

Samirbous approved these changes Apr 2, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Outdated Show resolved Hide resolved

Update rules/windows/command_and_control_new_terms_commonly_abused_ra…

8304d5a

…t_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Aegrah approved these changes Apr 2, 2024

View reviewed changes

Merge branch 'main' into rat_tuning

8b5e638

terrancedejesus added the Area: RAD label Apr 2, 2024

terrancedejesus reviewed Apr 2, 2024

View reviewed changes

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml Show resolved Hide resolved

w0rk3r merged commit 4ab7c9b into main Apr 2, 2024
17 checks passed

w0rk3r deleted the rat_tuning branch April 2, 2024 14:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution #3545

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution #3545

w0rk3r commented Mar 28, 2024

terrancedejesus left a comment

Aegrah left a comment

Samirbous left a comment

Samirbous left a comment

Aegrah left a comment

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution #3545

[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution #3545

Conversation

w0rk3r commented Mar 28, 2024

Issues

Summary

terrancedejesus left a comment

Choose a reason for hiding this comment

Aegrah left a comment

Choose a reason for hiding this comment

Samirbous left a comment

Choose a reason for hiding this comment

Samirbous left a comment

Choose a reason for hiding this comment

Aegrah left a comment

Choose a reason for hiding this comment