Detectionhightest

Atera Agent Installation

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bhabesh RajCreated Wed Sep 01Updated Sun Dec 2587261fb2-69d0-42fe-b9de-88c6b5f65a43windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        EventID: 1033
        Provider_Name: MsiInstaller
        Message|contains: AteraAgent
    condition: selection

False Positives

Legitimate Atera agent installation

References

MITRE ATT&CK

Tactics

Other

attack.t1219.002

Rule Metadata

Rule ID

87261fb2-69d0-42fe-b9de-88c6b5f65a43

Status

test

Level

high

Type

Detection

Created

Wed Sep 01

Modified

Sun Dec 25

Author

Path

rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml

Raw Tags

attack.command-and-controlattack.t1219.002