sigmamediumHunting

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

MITRE ATT&CK

defense-evasioncollectioncommand-and-controldiscovery

Detection Query

selection:
  Product: Remote Utilities
filter:
  Image|endswith:
    - \rutserv.exe
    - \rfusclient.exe
condition: selection and not filter

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-19

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://redcanary.com/blog/misbehaving-rats/

Tags

attack.defense-evasionattack.collectionattack.command-and-controlattack.discoveryattack.s0592

Raw Content

title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
    - attack.defense-evasion
    - attack.collection
    - attack.command-and-control
    - attack.discovery
    - attack.s0592
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Product: 'Remote Utilities'
    filter:
        Image|endswith:
            - '\rutserv.exe'
            - '\rfusclient.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium