The hypothesis is that an adversary is using a Remote Access Trojan (RAT) by exfiltrating data or receiving commands through HTTP requests with suspicious URI parameters or paths. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential RAT activity before it leads to data exfiltration or system compromise.
KQL Query
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
id: baedfdf4-7cc8-45a1-81a9-065821628b83
name: RunningRAT request parameters
description: |
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'
severity: High
requiredDataConnectors:
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1041
- T1071.001
tags:
- POLONIUM
query: |
let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);
CommonSecurityLog
| where RequestMethod == "GET"
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
| where RequestURL has_any (runningRAT_parameters)
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.2
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
Scenario: Legitimate API Request for a Third-Party Service
Description: A legitimate HTTP request is made to a third-party API endpoint that includes a parameter resembling a RAT signature (e.g., param=malicious).
Filter/Exclusion: Exclude requests to known third-party services (e.g., api.example.com) using a regex or IP list.
Scenario: Scheduled System Maintenance Task
Description: A scheduled task runs a script that makes an HTTP request to a local or internal server, which includes a parameter that matches the RAT detection pattern (e.g., cmd=update).
Filter/Exclusion: Exclude requests originating from known system service accounts or scheduled tasks using the user field or process.name filter.
Scenario: Admin Task for Software Deployment
Description: An administrator uses a tool like PowerShell or Ansible to deploy software, and the script includes a parameter that resembles a RAT signature (e.g., action=deploy).
Filter/Exclusion: Exclude requests made by admin users or from known deployment tools using user or process.name fields.
Scenario: Legitimate Web Application with Dynamic Parameters
Description: A web application (e.g., WordPress, Drupal) uses dynamic parameters in URLs for content retrieval, which may include values that match the RAT detection logic (e.g., id=123).
Filter/Exclusion: Exclude requests to known web application endpoints using uri.path or uri.query filters.
Scenario: Internal Monitoring Tool Communication
Description: An internal monitoring tool (e.g., Prometheus, Zabbix) sends HTTP requests to a local server with parameters that include strings similar to RAT indicators (e.g., metric=rat).
Filter/Exclusion: Exclude traffic