From f8bc17f37e929d39752853c417815e52a2ead38d Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 27 Mar 2025 10:23:41 +0100
Subject: [PATCH] =?UTF-8?q?feat:=20=E2=9C=A8=20Rules=20for=20Rustdesk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../file_event_win_rustdesk_artefact.yml      | 25 ++++++++++++++++++
 .../image_load/image_load_dll_rustdesk.yml    | 26 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_rustdesk_artefact.yml
 create mode 100644 rules/windows/image_load/image_load_dll_rustdesk.yml

diff --git a/rules/windows/file/file_event/file_event_win_rustdesk_artefact.yml b/rules/windows/file/file_event/file_event_win_rustdesk_artefact.yml
new file mode 100644
index 00000000000..4c7ec457486
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_rustdesk_artefact.yml
@@ -0,0 +1,25 @@
+title: Rustdesk Temporary Artefact
+id: e586d468-6212-48ce-84e2-764e421bb4cd
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Rustdesk,Team Viewer, Go2Assist, LogMein, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/65885baef0fef779e6f4852a92dfb88cfd42dac6/atomics/T1219/T1219.md#atomic-test-12---rustdesk-files-detected-test-on-windows
+    - https://securityaffairs.com/149770/malware/akira-ransomware-cisco-vpn.html
+author: frack113
+date: 2025-03-27
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '\AppData\Local\rustdesk\rustdesk.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium
diff --git a/rules/windows/image_load/image_load_dll_rustdesk.yml b/rules/windows/image_load/image_load_dll_rustdesk.yml
new file mode 100644
index 00000000000..2c7715d6d27
--- /dev/null
+++ b/rules/windows/image_load/image_load_dll_rustdesk.yml
@@ -0,0 +1,26 @@
+title: Load Of Rustdesk Desktop_multi_window_plugin DLL
+id: e5970272-21cc-494a-9705-a124b6f20d32
+status: experimental
+description: |
+    An adversary may use legitimate desktop support and remote access software, such as Rustdesk,Team Viewer, Go2Assist, LogMein, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/65885baef0fef779e6f4852a92dfb88cfd42dac6/atomics/T1219/T1219.md#atomic-test-12---rustdesk-files-detected-test-on-windows
+    - https://securityaffairs.com/149770/malware/akira-ransomware-cisco-vpn.html
+author: frack113
+date: 2025-03-27
+tags:
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        - ImageLoaded|endswith: 'desktop_multi_window_plugin.dll'
+        - OriginalFileName: 'flutter_hbb.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use
+level: medium