Detectionmediumtest

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Sep 19Updated Fri Feb 039ef27c24-4903-4192-881a-3adde7ff92a5windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Product: 'Remote Utilities'
    filter:
        Image|endswith:
            - '\rutserv.exe'
            - '\rfusclient.exe'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

redcanary.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0009 · Collection TA0011 · Command and Control TA0007 · Discovery

Software

S0592 · S0592

Rule Metadata

Rule ID

9ef27c24-4903-4192-881a-3adde7ff92a5

Status

test

Level

medium

Type

Detection

Created

Mon Sep 19

Modified

Fri Feb 03

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_renamed_rurat.yml

Raw Tags

attack.defense-evasionattack.collectionattack.command-and-controlattack.discoveryattack.s0592

View on GitHub