Detection rules › Splunk
Suspicious AteraAgent Installation - Windows (PowerShell)
An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These remote monitoring and management (RMM) tools, such as AteraAgent, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. This use case detects installation of AteraAgent RMM with an IntegratorLogin from non-business email providers. In lieu of filtering for specific publicly available mail providers, a negative match for expected user email domains can be used.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1219 Remote Access Tools |
References
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign?utm_source=twitter&utm_medium=social_organic&utm_campaign=2024&utm_post_id=3c4043a3-313b-4b88-aca6-d74b47e16082
- https://www.atera.com/
- https://detection.fyi/the-dfir-report/sigma-rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations/?query=ateraage
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
Rule body yaml
id: '30808.55043'
title: Suspicious AteraAgent Installation - Windows
description: An adversary may use legitimate desktop support and remote access software
to establish an interactive command and control channel to target systems within
networks. These remote monitoring and management (RMM) tools, such as AteraAgent,
are commonly used as legitimate technical support software and may be allowed by
application control within a target environment. Remote access software may be installed
and used post-compromise as an alternate communications channel for redundant access
or as a way to establish an interactive remote desktop session with the target system.
They may also be used as a component of malware to establish a reverse connection
or back-connect to a service or adversary controlled system. This use case detects
installation of AteraAgent RMM with an IntegratorLogin from non-business email providers.
In lieu of filtering for specific publicly available mail providers, a negative
match for expected user email domains can be used.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<") "AteraAgent.exe" "/i " "IntegratorLogin=" ("@gmail.com" OR "@hotmail.com"
OR "@outlook.com" OR "@yandex.ru" OR "@mail.ru" OR "@protonmail.com" OR "@dropmail.me")
| rex field=process "IntegratorLogin=\"(?<integrator_email>[^\"]+)\""| where match(process,
"(?i)AteraAgent\.exe.+\/i\s.*IntegratorLogin=\S+@(gmail|hotmail|outlook|protonmail)\.com|(yandex|mail)\.ru|dropmail\.me")|
table _time, host, user, process_*, integrator_email | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- command-and-control:remote access software
technique_id:
- T1219
data_category:
- PowerShell logs
references:
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign?utm_source=twitter&utm_medium=social_organic&utm_campaign=2024&utm_post_id=3c4043a3-313b-4b88-aca6-d74b47e16082
- https://www.atera.com/
- https://detection.fyi/the-dfir-report/sigma-rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations/?query=ateraage
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<") "AteraAgent.exe" "/i " "IntegratorLogin=" ("@gmail.com" OR "@hotmail.com" OR "@outlook.com" OR "@yandex.ru" OR "@mail.ru" OR "@protonmail.com" OR "@dropmail.me")
Stage 2: eval
| rex field=process "IntegratorLogin=\"(?<integrator_email>[^\"]+)\""
Stage 3: where
| where match(process, "(?i)AteraAgent\.exe.+\/i\s.*IntegratorLogin=\S+@(gmail|hotmail|outlook|protonmail)\.com|(yandex|mail)\.ru|dropmail\.me")
Stage 4: table
| table _time, host, user, process_*, integrator_email
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | "AteraAgent.exe" |
| 1 | "/i " |
| 1 | "IntegratorLogin=" |
| 1 | "@gmail.com" |
| 1 | "@hotmail.com" |
| 1 | "@outlook.com" |
| 1 | "@yandex.ru" |
| 1 | "@mail.ru" |
| 1 | "@protonmail.com" |
| 1 | "@dropmail.me" |