heroui logo

Remote Access Tool - Simple Help Execution

Sigma Rules

View Source
Summary
This detection rule identifies the execution of the Simple Help remote access tool, which can be exploited by adversaries to create a command and control (C2) channel to compromised systems. Remote access tools (RATs), like Simple Help, are commonly used for remote desktop support, making them potential vectors for malicious activity if they are misused by intruders. The rule monitors `process_creation` events on Windows systems, specifically looking for processes that contain certain strings indicative of Simple Help's directory and executable name. Given the increasing trend of threat actors leveraging legitimate software to obfuscate their activities, it's crucial to detect such instances, particularly where unusual patterns of remote support usage are observed. This detection carries a medium severity level owing to the dual-use nature of the software, with warnings about false positives from legitimate usage being a consideration.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2024-02-23