
Summary
This detection rule identifies the execution of the Remote Utilities Remote Access Tool (RURAT) from an atypical file location, specifically outside of the standard directories typically associated with its installation. The focus is on processes running the known executable files, `rutserv.exe` and `rfusclient.exe`, which are integral components of RURAT. The rule excludes executions from the default installation directories (typically under 'C:\Program Files\Remote Utilities' or 'C:\Program Files (x86)\Remote Utilities') to prevent false positives from legitimate usage. By monitoring for such instances, security teams can uncover potentially malicious behavior indicative of unauthorized remote access tool usage, which may signify a security breach or a persistence mechanism used by attackers.
Categories
- Windows
Data Sources
- Process
Created: 2022-09-19