[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685)

* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -75,7 +75,8 @@
     "process.Ext.relative_file_name_modify_time": "double",
     "process.Ext.relative_file_creation_time": "double",
     "Target.process.name": "keyword",
-    "process.Ext.api.name": "keyword"
+    "process.Ext.api.name": "keyword",
+    "process.name.caseless": "keyword"
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"

rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2023/04/03"
+integration = ["windows", "endpoint"]
+maturity = "production"
+min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
+min_stack_version = "8.4.0"
+updated_date = "2023/05/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control
+(C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects
+when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type
+indicating the host has not seen this RAT process started before within the last 30 days.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Time Seen Commonly Abused Remote Access Tool Execution"
+references = [
+    "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
+    "https://attack.mitre.org/techniques/T1219/",
+]
+risk_score = 47
+rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+host.os.type: "windows" and
+
+   event.category: "process" and event.type : "start" and
+
+    (
+    process.code_signature.subject_name : (
+        TeamViewer* or "NetSupport Ltd" or "GlavSoft" or "LogMeIn, Inc." or "Ammyy LLC" or
+        "Nanosystems S.r.l." or "Remote Utilities LLC" or "ShowMyPC" or "Splashtop Inc." or
+        "Yakhnovets Denis Aleksandrovich IP" or "Pro Softnet Corporation" or "BeamYourScreen GmbH" or
+        "RealVNC" or "uvnc" or "SAFIB") or
+
+    process.name.caseless : (
+        "teamviewer.exe" or "apc_Admin.exe" or "apc_host.exe" or "SupremoHelper.exe" or "rfusclient.exe" or
+        "spclink.exe" or "smpcview.exe" or "ROMServer.exe" or "strwinclt.exe" or "RPCSuite.exe" or "RemotePCDesktop.exe" or
+        "RemotePCService.exe" or "tvn.exe" or "LMIIgnition.exe" or "B4-Service.exe" or "Mikogo-Service.exe" or "AnyDesk.exe" or
+        "Splashtop-streamer.exe" or AA_v*.exe, or "rutserv.exe" or "rutview.exe" or "vncserver.exe" or "vncviewer.exe" or
+        "tvnserver.exe" or "tvnviewer.exe" or "winvnc.exe" or "RemoteDesktopManager.exe" or "LogMeIn.exe" or ScreenConnect*.exe or
+        "RemotePC.exe" or "r_server.exe" or "radmin.exe" or "ROMServer.exe" or "ROMViewer.exe" or "DWRCC.exe" or "AeroAdmin.exe" or
+        "ISLLightClient.exe" or "ISLLight.exe" or "AteraAgent.exe" or "SRService.exe")
+	) and
+
+	not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1219"
+name = "Remote Access Software"
+reference = "https://attack.mitre.org/techniques/T1219/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-15d"
+
+