Skip to content

[Tuning/New] RMM Rules#5810

Merged
Samirbous merged 27 commits intomainfrom
RMM
Mar 9, 2026
Merged

[Tuning/New] RMM Rules#5810
Samirbous merged 27 commits intomainfrom
RMM

Conversation

@Samirbous
Copy link
Copy Markdown
Contributor

@Samirbous Samirbous commented Mar 3, 2026

  • replaced RAT by RMM (RMM != RAT)
  • added extra RMM processes, added process.parent.name and parent code signature too (GoToHTTP, tacticalrmm and more).
  • added more references
  • new term rule based on dns.question.name

@Samirbous
[Tuning/New] RMM Rules
fb26afd 
- replaced RAT by RMM (RMM != RAT)
- added extra RMM processes, added process.parent.name and parent code signature too (GoToHTTP, tacticalrmm and more).
- added more references
- new term rule based on dns.question.name
@Samirbous Samirbous self-assigned this Mar 3, 2026
@Samirbous Samirbous added Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule labels Mar 3, 2026
@botelastic botelastic bot added Domain: Endpoint OS: Windows windows related rules labels Mar 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 3, 2026

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

1 similar comment
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 3, 2026

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 3, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

terrancedejesus
terrancedejesus reviewed Mar 9, 2026
View reviewed changes
Comment thread rules/windows/command_and_control_dns_rmm_domains_non_browser.toml Outdated
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

eric-forte-elastic
eric-forte-elastic approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments addressed, looks good 👍

w0rk3r
w0rk3r reviewed Mar 9, 2026
View reviewed changes
Comment thread rules/windows/command_and_control_dns_rmm_domains_non_browser.toml Outdated
w0rk3r
w0rk3r reviewed Mar 9, 2026
View reviewed changes
Comment thread rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
@Samirbous @w0rk3r
Update rules/windows/command_and_control_dns_rmm_domains_non_browser.…
ae9aadd 
…toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Mar 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ First Time Seen Remote Monitoring and Management Tool (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Newly Observed ScreenConnect Host Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ First Time Seen DNS Query to RMM Domain (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous Samirbous merged commit afcb342 into main Mar 9, 2026
14 checks passed
@Samirbous Samirbous deleted the RMM branch March 9, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w0rk3r w0rk3r w0rk3r left review comments

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@Samirbous Samirbous

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Samirbous @tradebot-elastic @w0rk3r @terrancedejesus @eric-forte-elastic @Mikaayenson