diff --git a/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml b/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml new file mode 100644 index 000000000..56621f128 --- /dev/null +++ b/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml @@ -0,0 +1,92 @@ +[metadata] +creation_date = "2026/03/03" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2026/03/03" + +[rule] +author = ["Elastic"] +description = """ +Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. +Intended to surface RMM clients, scripts, or other non-browser activity contacting these services. +""" +from = "now-8d" +index = [ + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*", +] +language = "kuery" +license = "Elastic License v2" +name = "First Time Seen DNS Query to RMM Domain" +note = """## Triage and analysis + +### Investigating First Time Seen DNS Query to RMM Domain + +This rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement. + +### Possible investigation steps + +- Identify the process (process.name, process.executable) that performed the DNS query and verify if it is an approved RMM or remote access tool. +- Review the full process tree and parent process to understand how the binary was launched. +- Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers. +- Correlate with the companion rule "First Time Seen Commonly Abused RMM Execution" for the same host to see if the RMM process was first-time seen. +- Investigate other alerts for the same host or user in the past 48 hours. + +### False positive analysis + +- Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools. +- Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise. + +### Response and remediation + +- If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits. +- Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff. +""" +references = [ + "https://attack.mitre.org/techniques/T1219/002/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", +] +risk_score = 47 +rule_id = "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type: "windows" and +event.category: "network" and +dns.question.name: (*teamviewer.com or *logmein* or *.anydesk.com or *screenconnect.com or *connectwise.com or *splashtop.com or assist.zoho.com or zohoassist.com or downloads.zohocdn.com or join.zoho.com or dwservice.net or express.gotoassist.com or getgo.com or *rustdesk.com or rs-* or remoteutilities.com or app.atera.com or agentreporting.atera.com or pubsub.atera.com or ammyy.com or n-able.com or cdn.kaseya.net or relay.kaseya.net or license.bomgar.com or beyondtrustcloud.com or api.parsec.app or parsecusercontent.com or tailscale.com or twingate.com or agent.jumpcloud.com or kickstart.jumpcloud.com or services.vnc.com or static.remotepc.com or netsupportsoftware.com or getscreen.me or client.teamviewer.com or integratedchat.teamviewer.com or relay.screenconnect.com or control.connectwise.com or authentication.logmeininc.com or secure.logmeinrescue.com or logmeincdn.http.internapcdn.net or remoteassistance.support.services.microsoft.com or remotedesktop-pa.googleapis.com or comserver.corporate.beanywhere.com or swi-rc.com or swi-tc.com or telemetry.servers.qetqo.com or tmate.io or api.playanext.com) and not process.name: (chrome.exe or msedge.exe or MicrosoftEdge.exe or MicrosoftEdgeCP.exe or firefox.exe or iexplore.exe or safari.exe or brave.exe or opera.exe or vivaldi.exe or msedgewebview2.exe or agent.tiflux.com or *.gotoresolve.com) and +not (process.code_signature.subject_name: ("Google LLC" or "Google Inc." or "Mozilla Corporation" or "Mozilla Foundation" or "Microsoft Corporation" or "Apple Inc." or "Brave Software, Inc." or "Opera Software AS" or "Vivaldi Technologies AS") and process.code_signature.trusted: true) +''' + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "dns.question.name"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique.subtechnique]] +id = "T1219.002" +name = "Remote Desktop Software" +reference = "https://attack.mitre.org/techniques/T1219/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index b7aa0ddf3..2a284bd5b 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,15 +2,12 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/03" [rule] author = ["Elastic"] description = """ -Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control -(C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects -when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type -indicating the host has not seen this RAT process started before within the last 30 days. +Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window. """ from = "now-9m" index = [ @@ -23,21 +20,19 @@ index = [ ] language = "kuery" license = "Elastic License v2" -name = "First Time Seen Commonly Abused Remote Access Tool Execution" +name = "First Time Seen Remote Monitoring and Management Tool" note = """## Triage and analysis -### Investigating First Time Seen Commonly Abused Remote Access Tool Execution +### Investigating First Time Seen Remote Monitoring and Management Tool -Remote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems. +Remote monitoring and management (RMM) and remote access software are commonly used by IT departments to provide support and manage endpoints. Attackers adopt the same tools to connect into interactive sessions, maintain access as a persistence mechanism, and drop malicious software. -At the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc. - -This rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools. +This rule detects when an RMM or remote access process is seen on a host for the first time within the new_terms history window (see rule.new_terms), enabling analysts to investigate and enforce the correct usage of such tools. #### Possible investigation steps - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Check if the execution of the remote access tool is approved by the organization's IT department. +- Check if the execution of the RMM or remote access tool is approved by the organization's IT department. - Investigate other alerts associated with the user/host during the past 48 hours. - Contact the account owner and confirm whether they are aware of this activity. - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering. @@ -59,8 +54,9 @@ This rule detects when a remote access tool is seen in the environment for the f """ references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://attack.mitre.org/techniques/T1219/", + "https://attack.mitre.org/techniques/T1219/002/", "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", "https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf", ] risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" @@ -78,11 +74,18 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" +setup = """## Setup + +- **New terms window**: The rule uses `new_terms_fields: host.id` with a 7-day history window. The first time a matching RMM/remote access process is seen on a host within that window will trigger the alert. +- **Velociraptor**: If your organization deploys Velociraptor for DFIR or hunting, consider adding a rule exception by host group or excluding `process.name: "Velociraptor.exe"` where appropriate. +- **Elastic Defend**: For best coverage ensure process events with `process.code_signature` and `process.name` are ingested from Windows endpoints (e.g. logs-endpoint.events.process-*). +- **Parent matching**: The rule also matches when the started process's parent has an RMM/remote access name or code signer, so first-time child processes (e.g. scripts or binaries spawned by TeamViewer, ScreenConnect, AteraAgent, MeshAgent) are detected. Complement with DNS-based detection (e.g. Sigma rule for remote access software domains from non-browser processes) for full coverage. +""" query = ''' host.os.type: "windows" and - event.category: "process" and event.type : "start" and + event.category: "process" and event.type: "start" and ( process.code_signature.subject_name : ( @@ -132,7 +135,9 @@ host.os.type: "windows" and "uvnc bvba" or "Yakhnovets Denis Aleksandrovich IP" or "Zhou Huabing" or - "ZOHO Corporation Private Limited" + "ZOHO Corporation Private Limited" or + "Connectwise, LLC" or + "ScreenConnect Client" ) or process.name.caseless : ( @@ -144,6 +149,7 @@ host.os.type: "windows" and "AteraAgent.exe" or aweray_remote*.exe or "AweSun.exe" or + "AgentMon.exe" or "B4-Service.exe" or "BASupSrvc.exe" or "bomgar-scc.exe" or @@ -157,13 +163,23 @@ host.os.type: "windows" and "ISLLightClient.exe" or fleetdeck_commander*.exe or "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or "LMIIgnition.exe" or "LogMeIn.exe" or "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or "Mikogo-Service.exe" or "NinjaRMMAgent.exe" or "NinjaRMMAgenPatcher.exe" or "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or "r_server.exe" or "radmin.exe" or "radmin3.exe" or @@ -183,14 +199,23 @@ host.os.type: "windows" and "rutview.exe" or "saazapsc.exe" or ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or "smpcview.exe" or "spclink.exe" or "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or "SRService.exe" or "strwinclt.exe" or "Supremo.exe" or "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or "teamviewer.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or "TiClientCore.exe" or "TSClient.exe" or "tvn.exe" or @@ -205,7 +230,12 @@ host.os.type: "windows" and "Zaservice.exe" or "ZohoURS.exe" or "Velociraptor.exe" or - "ToolsIQ.exe" + "ToolsIQ.exe" or + "CagService.exe" or + "ScreenConnect.ClientService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" ) or process.name : ( AA_v*.exe or @@ -216,9 +246,11 @@ host.os.type: "windows" and "AteraAgent.exe" or aweray_remote*.exe or "AweSun.exe" or + "AgentMon.exe" or "B4-Service.exe" or "BASupSrvc.exe" or "bomgar-scc.exe" or + "CagService.exe" or "domotzagent.exe" or "domotz-windows-x64-10.exe" or "dwagsvc.exe" or @@ -229,13 +261,24 @@ host.os.type: "windows" and "ISLLightClient.exe" or fleetdeck_commander*.exe or "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or "LMIIgnition.exe" or "LogMeIn.exe" or "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or + "meshagent.exe" or "Mikogo-Service.exe" or "NinjaRMMAgent.exe" or "NinjaRMMAgenPatcher.exe" or "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or "r_server.exe" or "radmin.exe" or "radmin3.exe" or @@ -255,15 +298,171 @@ host.os.type: "windows" and "rutview.exe" or "saazapsc.exe" or ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or "smpcview.exe" or "spclink.exe" or "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or "SRService.exe" or "strwinclt.exe" or "Supremo.exe" or "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or "teamviewer.exe" or "TiClientCore.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or + "TSClient.exe" or + "tvn.exe" or + "tvnserver.exe" or + "tvnviewer.exe" or + UltraVNC*.exe or + UltraViewer*.exe or + "vncserver.exe" or + "vncviewer.exe" or + "winvnc.exe" or + "winwvc.exe" or + "Zaservice.exe" or + "ZohoURS.exe" or + "Velociraptor.exe" or + "ToolsIQ.exe" or + "ScreenConnect.ClientService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" + ) or + process.parent.code_signature.subject_name : ( + "Action1 Corporation" or + "AeroAdmin LLC" or + "Ammyy LLC" or + "Atera Networks Ltd" or + "AWERAY PTE. LTD." or + "BeamYourScreen GmbH" or + "Bomgar Corporation" or + "DUC FABULOUS CO.,LTD" or + "DOMOTZ INC." or + "DWSNET OÜ" or + "FleetDeck Inc" or + "GlavSoft LLC" or + "GlavSoft LLC." or + "Hefei Pingbo Network Technology Co. Ltd" or + "IDrive, Inc." or + "IMPERO SOLUTIONS LIMITED" or + "Instant Housecall" or + "ISL Online Ltd." or + "LogMeIn, Inc." or + "Monitoring Client" or + "MMSOFT Design Ltd." or + "Nanosystems S.r.l." or + "NetSupport Ltd" or + "NetSupport Ltd." or + "NETSUPPORT LTD." or + "NinjaRMM, LLC" or + "Parallels International GmbH" or + "philandro Software GmbH" or + "Pro Softnet Corporation" or + "RealVNC" or + "RealVNC Limited" or + "BreakingSecurity.net" or + "Remote Utilities LLC" or + "Rocket Software, Inc." or + "SAFIB" or + "Servably, Inc." or + "ShowMyPC INC" or + "Splashtop Inc." or + "Superops Inc." or + "TeamViewer" or + "TeamViewer GmbH" or + "TeamViewer Germany GmbH" or + "Techinline Limited" or + "uvnc bvba" or + "Yakhnovets Denis Aleksandrovich IP" or + "Zhou Huabing" or + "ZOHO Corporation Private Limited" or + "Connectwise, LLC" or + "ScreenConnect Client" + ) or + process.parent.name: ( + AA_v*.exe or + "AeroAdmin.exe" or + "AnyDesk.exe" or + "apc_Admin.exe" or + "apc_host.exe" or + "AteraAgent.exe" or + aweray_remote*.exe or + "AweSun.exe" or + "AgentMon.exe" or + "B4-Service.exe" or + "BASupSrvc.exe" or + "bomgar-scc.exe" or + "domotzagent.exe" or + "domotz-windows-x64-10.exe" or + "dwagsvc.exe" or + "DWRCC.exe" or + "ImperoClientSVC.exe" or + "ImperoServerSVC.exe" or + "ISLLight.exe" or + "ISLLightClient.exe" or + fleetdeck_commander*.exe or + "getscreen.exe" or + "g2aservice.exe" or + "GoToAssistService.exe" or + "gotohttp.exe" or + "jumpcloud-agent.exe" or + "level.exe" or + "LvAgent.exe" or + "LMIIgnition.exe" or + "LogMeIn.exe" or + "ManageEngine_Remote_Access_Plus.exe" or + "MeshAgent.exe" or + "Mikogo-Service.exe" or + "NinjaRMMAgent.exe" or + "NinjaRMMAgenPatcher.exe" or + "ninjarmm-cli.exe" or + "parsec.exe" or + "PService.exe" or + "quickassist.exe" or + "r_server.exe" or + "radmin.exe" or + "radmin3.exe" or + "RCClient.exe" or + "RCService.exe" or + "RemoteDesktopManager.exe" or + "RemotePC.exe" or + "RemotePCDesktop.exe" or + "RemotePCService.exe" or + "rfusclient.exe" or + "ROMServer.exe" or + "ROMViewer.exe" or + "RPCSuite.exe" or + "rserver3.exe" or + "rustdesk.exe" or + "rutserv.exe" or + "rutview.exe" or + "saazapsc.exe" or + ScreenConnect*.exe or + "session_win.exe" or + "Remote Support.exe" or + "smpcview.exe" or + "spclink.exe" or + "Splashtop-streamer.exe" or + "Syncro.Overmind.Service.exe" or + "SyncroLive.Agent.Runner.exe" or + "SRService.exe" or + "strwinclt.exe" or + "Supremo.exe" or + "SupremoService.exe" or + "tacticalrmm.exe" or + "tailscale.exe" or + "tailscaled.exe" or + "teamviewer.exe" or + "ToDesk_Service.exe" or + "twingate.exe" or + "TiClientCore.exe" or "TSClient.exe" or "tvn.exe" or "tvnserver.exe" or @@ -277,11 +476,14 @@ host.os.type: "windows" and "Zaservice.exe" or "ZohoURS.exe" or "Velociraptor.exe" or - "ToolsIQ.exe" + "ToolsIQ.exe" or + "CagService.exe" or + "TiAgent.exe" or + "GoToResolveProcessChecker.exe" or + "GoToResolveUnattended.exe" ) - ) and - - not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") + ) and + not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.") ''' @@ -291,7 +493,10 @@ framework = "MITRE ATT&CK" id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - +[[rule.threat.technique.subtechnique]] +id = "T1219.002" +name = "Remote Desktop Software" +reference = "https://attack.mitre.org/techniques/T1219/002/" [rule.threat.tactic] id = "TA0011" @@ -303,6 +508,6 @@ field = "new_terms_fields" value = ["host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-15d" +value = "now-7d" diff --git a/rules/windows/command_and_control_newly_observed_screenconnect_host_server.toml b/rules/windows/command_and_control_newly_observed_screenconnect_host_server.toml new file mode 100644 index 000000000..4c65b8bfe --- /dev/null +++ b/rules/windows/command_and_control_newly_observed_screenconnect_host_server.toml @@ -0,0 +1,92 @@ +[metadata] +creation_date = "2026/03/09" +integration = ["endpoint"] +maturity = "production" +updated_date = "2026/03/09" + +[rule] +author = ["Elastic"] +description = """ +Detects when the ScreenConnect client (ConnectWise Control) connects to a newly observed host server that is not the official ScreenConnect cloud. ScreenConnect is a common RMM/remote access tool abused for C2 and persistence. Self-hosted or non-standard relay servers may indicate abuse or compromise. The rule aggregates by server host (parsed from the client command line), requires first-time observation within the rule window, and limits to a single host to reduce noise. +""" +from = "now-5d" +interval = "6m" +language = "esql" +license = "Elastic License v2" +name = "Newly Observed ScreenConnect Host Server" +note = """## Triage and analysis + +### Investigating Newly Observed ScreenConnect Host Server + +ScreenConnect (ConnectWise Control) is legitimate RMM software often abused by threat actors for command-and-control and persistence. This rule fires when a host is seen connecting to a ScreenConnect server host that was not seen before (within the rule window) and that is not the official *.screenconnect.com cloud—surfacing self-hosted or non-standard relay servers that may indicate abuse. + +### Possible investigation steps + +- Identify the host and user from the alert and confirm whether use of ScreenConnect is approved. +- Inspect the parsed ScreenConnect server host (Esql.screenconnect_server)—is it an internal host, a known vendor, or an unknown domain/IP? +- Review the process command line for the full connection parameters and any other suspicious options. +- Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host. +- Check for other alerts on the host or user in the past 48 hours. + +### False positive analysis + +- Legitimate use of self-hosted ScreenConnect/ConnectWise Control by IT or MSP will trigger; allowlist known relay servers by host or exception if appropriate. +- New deployments of on-prem ScreenConnect relays will appear as newly observed; validate with change management. + +### Response and remediation + +- If unauthorized RMM use or an unknown relay is confirmed: isolate the host, remove or block the client, and investigate how the software was installed and who operates the server. +- Enforce policy that only approved RMM tools and approved relay servers may be used. +""" +references = [ + "https://attack.mitre.org/techniques/T1219/002/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", +] +risk_score = 73 +rule_id = "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-endpoint.events.process-* metadata _id, _version, _index +| where event.category == "process" and event.type == "start" and (process.name == "ScreenConnect.ClientService.exe" or process.code_signature.subject_name == "ConnectWise, LLC") +| grok process.command_line """e=Access&y=Guest&h=(?[^&]+)&p""" +| where Esql.screenconnect_server is not null and not Esql.screenconnect_server like "*.screenconnect.com" +| stats Esql.count_distinct_host_id = count_distinct(host.id), + Esql.first_time_seen = min(@timestamp), + Esql.user_name_values = values(user.name), + Esql.command_line_values = values(process.command_line), + Esql.host_id_values = values(host.id), + Esql.host_name_values = values(host.name) by Esql.screenconnect_server +| eval Esql.recent = date_diff("minute", Esql.first_time_seen, now()) +| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1 +| eval host.id = mv_first(Esql.host_id_values), + host.name = mv_first(Esql.host_name_values), + process.command_line = mv_first(Esql.command_line_values) +| keep host.id, host.name, process.command_line, Esql.screenconnect_server +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique.subtechnique]] +id = "T1219.002" +name = "Remote Desktop Software" +reference = "https://attack.mitre.org/techniques/T1219/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"