Chain of remote access tool behavior: (1) initial execution of remote-control/assist agent or GUI under user context; (2) persistence via service or autorun; (3) long-lived outbound connection/tunnel to external infrastructure; (4) interactive control signals such as shell or file-manager child processes spawned by the RAT parent.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Correlation period binding start→persistence→egress→child (default 15m, adjust per environment). |
| UserContext | Differentiate help-desk/jump hosts and admin accounts from standard endpoints. |
| ProcessAllowlist | Known-good remote support tools; suppress expected events while still correlating anomalous sequences. |
| InstallPathRegex | Alert when services/agents execute from user-writable or temp paths. |
| ExternalIPAllowlist | Vendors’ support clouds/CDNs to reduce false positives on egress detection. |
| ShellSpawnRegex | Define which child shells from GUI parents are acceptable versus suspicious. |
| EgressHeuristics | Thresholds for session duration, connection counts, and bytes_out/bytes_in ratio. |
Sequence of RAT agent execution, systemd persistence, and long-lived external egress; optional interactive shells spawned from the agent.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells |
| File Creation (DC0039) | auditd:PATH | WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Bind exec→service→egress events; extend for staged deployments. |
| DaemonAllowlist | Approved .service names/paths to avoid flagging corporate agents. |
| SuspiciousChildProcesses | Define shells/interpreters considered anomalous when spawned by GUI/agent parents. |
| EgressHeuristics | Flow heuristics for long-lived, client-heavy connections post-install. |
Electron/GUI or headless RAT execution followed by LaunchAgent/Daemon persistence and persistent external connections; interactive children (osascript/sh/curl) spawned by parent.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Process exec of remote-control apps or binaries with headless/connect flags |
| File Creation (DC0039) | macos:osquery | CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations |
| Network Connection Creation (DC0082) | macos:osquery | CONNECT: Long-lived connections from remote-control parents to external IPs/domains |
| Field | Description |
|---|---|
| AllowedAppBundlePaths | Legitimate remote-support apps under /Applications. |
| LaunchdAllowlist | Known-good LaunchAgents/Daemons identifiers. |
| TimeWindow | Window for correlating exec→launchd→egress events. |
| EgressHeuristics | Duration/volume thresholds for persistent sessions. |