Update command_and_control_new_terms_commonly_abused_rat_execution.toml

elastic · w0rk3r · Apr 2, 2024 · Mar 28, 2024 · Mar 28, 2024 · Mar 28, 2024
commit 759abdfa58f4f57518ac26947c6caa523af5c08a
diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2023/04/03"
-integration = ["endpoint"]
+integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
@@ -15,7 +15,7 @@ when a process is started whose name or code signature resembles commonly abused
 indicating the host has not seen this RAT process started before within the last 30 days.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
+index = ["logs-endpoint.events.*", "endgame-*", "winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "First Time Seen Commonly Abused Remote Access Tool Execution"
@@ -187,6 +187,76 @@ host.os.type: "windows" and
             "winwvc.exe" or
             "Zaservice.exe" or
             "ZohoURS.exe"
+        ) or
+        process.name : (
+            AA_v*.exe or
+            "AeroAdmin.exe" or
+            "AnyDesk.exe" or
+            "apc_Admin.exe" or
+            "apc_host.exe" or
+            "AteraAgent.exe" or
+            aweray_remote*.exe or
+            "AweSun.exe" or
+            "B4-Service.exe" or
+            "BASupSrvc.exe" or
+            "bomgar-scc.exe" or
+            "domotzagent.exe" or
+            "domotz-windows-x64-10.exe" or
+            "dwagsvc.exe" or
+            "DWRCC.exe" or
+            "ImperoClientSVC.exe" or
+            "ImperoServerSVC.exe" or
+            "ISLLight.exe" or
+            "ISLLightClient.exe" or
+            fleetdeck_commander*.exe or
+            "getscreen.exe" or
+            "LMIIgnition.exe" or
+            "LogMeIn.exe" or
+            "ManageEngine_Remote_Access_Plus.exe" or
+            "Mikogo-Service.exe" or
+            "NinjaRMMAgent.exe" or
+            "NinjaRMMAgenPatcher.exe" or
+            "ninjarmm-cli.exe" or
+            "r_server.exe" or
+            "radmin.exe" or
+            "radmin3.exe" or
+            "RCClient.exe" or
+            "RCService.exe" or
+            "RemoteDesktopManager.exe" or
+            "RemotePC.exe" or
+            "RemotePCDesktop.exe" or
+            "RemotePCService.exe" or
+            "rfusclient.exe" or
+            "ROMServer.exe" or
+            "ROMViewer.exe" or
+            "RPCSuite.exe" or
+            "rserver3.exe" or
+            "rustdesk.exe" or
+            "rutserv.exe" or
+            "rutview.exe" or
+            "saazapsc.exe" or
+            ScreenConnect*.exe or
+            "smpcview.exe" or
+            "spclink.exe" or
+            "Splashtop-streamer.exe" or
+            "SRService.exe" or
+            "strwinclt.exe" or
+            "Supremo.exe" or
+            "SupremoService.exe" or
+            "teamviewer.exe" or
+            "TiClientCore.exe" or
+            "TSClient.exe" or
+            "tvn.exe" or
+            "tvnserver.exe" or
+            "tvnviewer.exe" or
+            UltraVNC*.exe or
+            UltraViewer*.exe or
+            "vncserver.exe" or
+            "vncviewer.exe" or
+            "winvnc.exe" or
+            "winwvc.exe" or
+            "Zaservice.exe" or
+            "ZohoURS.exe"
         )
 	) and