Threat Hunting IOC Pack — Part 1

Covers the 12 tools observed across Akira, Babuk, BlackBasta, LockBit, Monster, Noberus, Play, RagnarLocker, Rorschach, Royal.

Queries are provided for:

• Microsoft Defender for Endpoint (MDE) — KQL / Advanced Hunting
• SentinelOne — PowerQuery (PQ) with notes for Deep Visibility / S1QL equivalents
• CrowdStrike Falcon — Event Search (SPL-derived) + Falcon LogScale / NG-SIEM CQL
• Velociraptor — VQL (live pslist() + forensic artefacts for historical execution)

Tune for false positives. Many tools (AnyDesk, ScreenConnect, Atera, RDP, WinRAR, WinSCP, TightVNC) are legitimate in some environments — focus on execution path, parent process, user context, and command-line flags rather than the binary alone.

---

1 — Tool / Behaviour Coverage Matrix

Tool	Category	LotL risk	Primary hunt vector
Rclone	Exfiltration	Low (rarely benign on endpoints)	Cloud remote strings in cmdline
AnyDesk	RMM / RAT	Medium	Unauthorised install path, unattended-access flags
RDP	Native remote	High	LogonType 10 from public IPs, tscon hijack
Cobalt Strike	C2 framework	None	Named pipes, default certs, beacon traffic
ScreenConnect	RMM	Medium	Unauthorised tenant, dropped from non-MSI
Atera	RMM	Medium	AteraAgent install outside change-window
WinRAR	Archiver	High	-hp -v -m -r flags on bulk file paths
Restic	Backup	Low	restic backup, B2/S3 repos
TightVNC	Remote desktop	Low	tvnserver service install, 5900 listen
WinSCP	SFTP client	Medium	/script /command open sftp://
Pandora RC	Remote control	Low	PandoraRC.exe, signed cert + odd path
Chisel	TCP tunnel	None	client R: reverse tunnel, websocket out

---

2 — Per-Tool IOC Inventory

2.1 Rclone — Exfiltration to cloud

Indicator	Value
Process names	rclone.exe, renamed binaries with OriginalFileName=Rclone.exe
Hash hunt	Match on PE OriginalFileName rather than SHA — actors rename
Command-line tokens	--config, --no-check-certificate, --transfers, --multi-thread-streams, copy, sync, move, --max-age
Remote prefixes	mega:, pcloud:, b2:, s3:, gdrive:, ftp:, dropbox:, mediafire:, koofr:, yandex:
Network	*.mega.nz, *.mega.co.nz, *.pcloud.com, *.backblazeb2.com, *.mediafire.com, *.koofr.net
Config artefacts	%APPDATA%\rclone\rclone.conf, %USERPROFILE%\.config\rclone\rclone.conf

MDE / KQL

DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "rclone.exe"
     or ProcessVersionInfoOriginalFileName =~ "rclone.exe"
     or ProcessCommandLine matches regex @"(?i)\b(mega|pcloud|b2|s3|gdrive|ftp|dropbox|mediafire|koofr|yandex):"
     or ProcessCommandLine has_all ("--config", "--transfers")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          ProcessVersionInfoOriginalFileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process" and event.type = "Process Creation"
and (
   src.process.image.path contains:anycase "rclone.exe"
   or src.process.displayName contains:anycase "rclone"
   or src.process.cmdline matches "(?i)\b(mega|pcloud|b2|s3|gdrive|ftp|dropbox|mediafire|koofr|yandex):"
   or src.process.cmdline contains:anycase "--transfers" and src.process.cmdline contains:anycase "--config"
)
| columns endpoint.name, src.process.user, src.process.image.path,
          src.process.cmdline, src.process.publisher.name, src.process.parent.name

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName=rclone.exe OR ImageFileName="*\\rclone.exe"
 OR CommandLine IN ("*mega:*","*pcloud:*","*b2:*","*s3:*","*gdrive:*","*dropbox:*","*mediafire:*","*koofr:*","*yandex:*")
 OR (CommandLine="*--transfers*" AND CommandLine="*--config*"))
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName ParentCommandLine SHA256HashData

CrowdStrike / LogScale CQL (NG-SIEM)

#event_simpleName=ProcessRollup2
| FileName=/(?i)rclone\.exe/ 
  OR CommandLine=/(?i)\b(mega|pcloud|b2|s3|gdrive|ftp|dropbox|mediafire|koofr|yandex):/
  OR (CommandLine=/--transfers/ AND CommandLine=/--config/)
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live process scan (incl. renamed binaries via PE OriginalFileName)
SELECT Pid, Name, Exe, CommandLine, Username,
       Hash.SHA256 AS SHA256,
       VersionInformation.OriginalFilename AS OrigName,
       VersionInformation.CompanyName AS Company
FROM pslist()
WHERE Name =~ "(?i)^rclone\\.exe$"
   OR lowcase(VersionInformation.OriginalFilename) = "rclone.exe"
   OR CommandLine =~ "(?i)\\b(mega|pcloud|b2|s3|gdrive|ftp|dropbox|mediafire|koofr|yandex):"
   OR (CommandLine =~ "(?i)--transfers" AND CommandLine =~ "(?i)--config")

-- Historical execution via Prefetch + Amcache
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ "(?i)RCLONE"

SELECT * FROM Artifact.Windows.Forensics.Amcache()
WHERE Name =~ "(?i)rclone"

-- Config files on disk (catches renamed/portable binaries)
SELECT FullPath, Mtime, Size FROM glob(globs=[
   "C:/Users/*/AppData/Roaming/rclone/rclone.conf",
   "C:/Users/*/.config/rclone/rclone.conf",
   "C:/ProgramData/rclone/**/rclone.conf"
])

---

2.2 AnyDesk — RMM abused for persistence

Indicator	Value
Process names	AnyDesk.exe, AnyDesk-Custom.exe
Legit install paths	C:\Program Files (x86)\AnyDesk\, C:\Program Files\AnyDesk\
Suspicious paths	%TEMP%, %APPDATA%, %PROGRAMDATA%, C:\Users\Public\, C:\Windows\Temp\
Cmdline	--install, --silent, --start-with-win, --set-password
Service name	AnyDesk (auto-start)
Files	%PROGRAMDATA%\AnyDesk\service.conf, user.conf, ad_svc.trace, connection_trace.txt
Network	*.net.anydesk.com, relay-*.net.anydesk.com, ports 80/443/6568

MDE / KQL

DeviceProcessEvents
| where FileName =~ "anydesk.exe"
| where FolderPath !startswith @"C:\Program Files (x86)\AnyDesk"
    and FolderPath !startswith @"C:\Program Files\AnyDesk"
    and FolderPath !startswith @"C:\ProgramData\AnyDesk"
| union (
   DeviceProcessEvents
   | where FileName =~ "anydesk.exe"
        and ProcessCommandLine has_any ("--install", "--silent", "--set-password", "--start-with-win")
)
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process" and src.process.image.path contains:anycase "anydesk.exe"
and (
   not src.process.image.path contains:anycase "Program Files\\AnyDesk"
   and not src.process.image.path contains:anycase "Program Files (x86)\\AnyDesk"
   or src.process.cmdline matches "(?i)--(install|silent|set-password|start-with-win)"
)
| columns endpoint.name, src.process.user, src.process.image.path,
          src.process.cmdline, src.process.parent.name, src.process.publisher.name

CrowdStrike / Event Search

event_simpleName=ProcessRollup2 FileName=AnyDesk.exe
| eval bad_path=if(match(ImageFileName, "(?i)(\\\\Temp\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\(?!AnyDesk)|\\\\Users\\\\Public\\\\|\\\\Windows\\\\Temp\\\\)"), 1, 0)
| where bad_path=1
   OR CommandLine="*--install*" OR CommandLine="*--silent*"
   OR CommandLine="*--set-password*" OR CommandLine="*--start-with-win*"
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName ParentCommandLine

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)anydesk\.exe/
| (ImageFileName=/(?i)\\(Temp|AppData|Users\\Public|Windows\\Temp)\\/ 
   OR CommandLine=/(?i)--(install|silent|set-password|start-with-win)/)
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live process from unusual path
SELECT Pid, Name, Exe, CommandLine, Username, Hash.SHA256 AS SHA256
FROM pslist()
WHERE Name =~ "(?i)anydesk\\.exe$"
  AND NOT Exe =~ "(?i)\\\\(Program Files|Program Files \\(x86\\)|ProgramData)\\\\AnyDesk\\\\"

-- Service install (any auto-start AnyDesk service from non-standard path)
SELECT * FROM Artifact.Windows.System.Services()
WHERE Name =~ "(?i)anydesk"
  AND NOT PathName =~ "(?i)\\\\Program Files.*\\\\AnyDesk"

-- AnyDesk trace + connection log (IR gold — remote IDs, timestamps, users)
SELECT FullPath, Mtime, Size FROM glob(globs=[
   "C:/ProgramData/AnyDesk/connection_trace.txt",
   "C:/ProgramData/AnyDesk/ad_svc.trace",
   "C:/Users/*/AppData/Roaming/AnyDesk/connection_trace.txt",
   "C:/Users/*/AppData/Roaming/AnyDesk/ad.trace"
])

-- Parse connection_trace.txt for inbound session metadata
SELECT * FROM parse_records_with_regex(
   file="C:/ProgramData/AnyDesk/connection_trace.txt",
   regex='''(?P<Time>\d{4}-\d{2}-\d{2}\s+\S+)\s+-\s+(?P<Direction>\S+)\s+ID:\s+(?P<RemoteID>\d+).*'''
)

-- Prefetch
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ "(?i)ANYDESK"

---

2.3 RDP — Native remote interactive

Indicator	Value
LogonType	10 (RemoteInteractive)
Tools abused	mstsc.exe /restrictedadmin, tscon.exe <sessionid> /dest:, freerdp, xfreerdp
Lateral movement	RDP from non-jump-host to multiple targets in short window
Tampering	reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0
Network	Inbound 3389 from public IPs, outbound 3389 to multiple internal hosts from a single source

MDE / KQL — Public RDP ingress

DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType == "RemoteInteractive"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemoteIPType, ActionType

MDE / KQL — tscon hijack

DeviceProcessEvents
| where FileName =~ "tscon.exe"
| where ProcessCommandLine has "/dest:"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessAccountName

MDE / KQL — RDP fan-out from one host

DeviceLogonEvents
| where LogonType == "RemoteInteractive" and Timestamp > ago(1d)
| summarize TargetCount = dcount(DeviceName), Targets = make_set(DeviceName, 50)
    by RemoteIP, AccountName, bin(Timestamp, 1h)
| where TargetCount >= 5

SentinelOne / PowerQuery

event.type = "Login" and event.login.type = "RemoteInteractive"
and (event.login.isFailed = false)
| group count() by endpoint.name, event.login.userName, src.endpoint.ip.address
| filter count() > 0

event.category = "process" and src.process.image.path contains "tscon.exe"
and src.process.cmdline contains "/dest:"

CrowdStrike / Event Search — RDP logons (LogonType 10)

event_simpleName=UserLogon LogonType=10
| table _time aid ComputerName UserName UserSid RemoteAddressIP4 LogonType AuthenticationPackage

CrowdStrike / Event Search — tscon hijack

event_simpleName=ProcessRollup2 FileName=tscon.exe CommandLine="*/dest:*"
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName ParentCommandLine

CrowdStrike / Event Search — RDP fan-out

event_simpleName=UserLogon LogonType=10 RemoteAddressIP4=*
| bucket _time span=1h
| stats dc(ComputerName) as Targets values(ComputerName) as TargetHosts by RemoteAddressIP4 UserName _time
| where Targets>=5

CrowdStrike / LogScale CQL

#event_simpleName=UserLogon
| LogonType=10
| groupBy([RemoteAddressIP4, UserName, bucket(span=1h)], function=[count(), collect_distinct(ComputerName)])
| _count >= 5

Velociraptor / VQL

-- RDP authentication events (built-in artifact, parses TerminalServices logs)
SELECT * FROM Artifact.Windows.EventLogs.RDPAuth()

-- tscon session hijack
SELECT Pid, Name, CommandLine, Username, Exe FROM pslist()
WHERE Name =~ "(?i)tscon\\.exe" AND CommandLine =~ "/dest:"

-- RDP bitmap cache — visual recon of what attackers saw in their sessions
SELECT * FROM Artifact.Windows.Forensics.RDPCache()

-- TS Connections-disabled flag tampering
SELECT FullPath, Data FROM glob(
   globs="HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Terminal Server/fDenyTSConnections",
   accessor="registry"
)

-- Recent inbound RDP successes from EventID 4624 LogonType=10
SELECT * FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID = 4624
  AND EventData.LogonType = 10
  AND NOT EventData.IpAddress IN ("-", "127.0.0.1", "::1")

---

2.4 Cobalt Strike — Default beacon artefacts

Indicator	Value
Named pipes (defaults)	\\.\pipe\MSSE-*, \\.\pipe\postex_*, \\.\pipe\postex_ssh_*, \\.\pipe\status_*, \\.\pipe\msagent_*, \\.\pipe\mojo.* (non-Chrome)
Spawn-to defaults	rundll32.exe with no cmdline parent of suspicious processes
Sleep mask	Memory regions RWX with size 0x10000–0x40000, MZ at offset
Stager URIs	/ca, /dpixel, /__utm.gif, /pixel.gif, /load, /IE9CompatViewList.xml
TLS / JA3	JA3 72a589da586844d7f0818ce684948eea (default Beacon Java handshake; historical)
Default certs (historical)	SHA1 6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C

MDE / KQL — Named-pipe defaults

DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend Pipe = tostring(parse_json(AdditionalFields).PipeName)
| where Pipe matches regex @"(?i)\\\\\.\\pipe\\(MSSE-|postex_|status_|msagent_)"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Pipe

MDE / KQL — rundll32 without cmdline spawning child

DeviceProcessEvents
| where InitiatingProcessFileName =~ "rundll32.exe"
| where isempty(InitiatingProcessCommandLine) 
     or InitiatingProcessCommandLine matches regex @"(?i)^""?[^\""\s]*rundll32(\.exe)?""?\s*$"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery — named pipes

event.type = "Named Pipe Creation"
and named.pipe.name matches "(?i)\\\\\\\\\\.\\\\pipe\\\\(MSSE-|postex_|status_|msagent_)"
| columns endpoint.name, src.process.name, src.process.cmdline, named.pipe.name

SentinelOne / PowerQuery — rundll32 with empty cmdline

event.category = "process" and src.process.parent.name = "rundll32.exe"
and (src.process.parent.cmdline = "" or src.process.parent.cmdline matches "(?i)^\"?[^\\s]*rundll32(\\.exe)?\"?\\s*$")
| columns endpoint.name, src.process.parent.cmdline, src.process.name, src.process.cmdline

CrowdStrike / Event Search — default named pipes

event_simpleName IN (NamedPipeCreate, NamedPipeConnect)
| regex PipeName="(?i)\\\\\\\\\\.\\\\pipe\\\\(MSSE-|postex_|status_|msagent_)"
| table _time aid ComputerName ContextProcessId ContextBaseFileName PipeName

CrowdStrike / Event Search — empty-cmdline rundll32 spawning child

event_simpleName=ProcessRollup2 ParentBaseFileName=rundll32.exe
| regex ParentCommandLine="(?i)^\"?[^\\s]*rundll32(\\.exe)?\"?\\s*$"
| table _time aid ComputerName ImageFileName CommandLine ParentCommandLine ParentProcessId

CrowdStrike / LogScale CQL

#event_simpleName=NamedPipeCreate
| PipeName=/(?i)\\\\\.\\pipe\\(MSSE-|postex_|status_|msagent_)/
| groupBy([ComputerName, ContextBaseFileName, PipeName])

Velociraptor / VQL

-- Default named pipes (enumerate the pipe filesystem namespace)
SELECT FullPath, Mtime FROM glob(globs="\\\\.\\pipe\\*")
WHERE FullPath =~ "(?i)\\\\(MSSE-|postex_|postex_ssh_|status_|msagent_)"

-- YARA scan running process memory for Beacon hallmarks
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
   Yara='''
rule cobalt_strike_beacon {
   strings:
      $a1 = "%c%c%c%c%c%c%c%cMSSE" ascii
      $a2 = "ReflectiveLoader" ascii
      $a3 = "beacon.dll" ascii nocase
      $a4 = { 4D 5A 41 52 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 8D 1D }
      $b1 = "/dpixel" ascii
      $b2 = "/__utm.gif" ascii
      $b3 = "IE9CompatViewList.xml" ascii
   condition: 2 of them
}
'''
)

-- rundll32 with empty / bare command-line spawning child (Beacon spawn-to default)
SELECT Pid, Name, CommandLine, Ppid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "(?i)rundll32\\.exe$"
  AND (Parent.CommandLine = "" OR Parent.CommandLine =~ "(?i)^\"?[^\\s]*rundll32(\\.exe)?\"?\\s*$")

-- Unbacked executable memory regions (CS sleep-mask, shellcode loaders)
SELECT * FROM Artifact.Windows.Detection.ProcessMemory()
WHERE Type = "Private" AND Protection =~ "EXECUTE"

---

2.5 ScreenConnect (ConnectWise Control)

Indicator	Value
Process names	ScreenConnect.ClientService.exe, ScreenConnect.WindowsClient.exe, ScreenConnect.WindowsBackstageShell.exe
Service	ScreenConnect Client (<instance-id>)
Install paths	C:\Program Files (x86)\ScreenConnect Client (*)\
Cmdline tells	&e=Access&y=Guest&h=<host>&p=<port>&s=<sessionid> (encoded URL)
Network	*.screenconnect.com, customer-hosted FQDNs, ports 8040/8041/443
MSI drop names	ConnectWiseControl.ClientSetup.msi, ScreenConnect.ClientSetup.msi

MDE / KQL

DeviceProcessEvents
| where FileName has_any ("ScreenConnect.ClientService.exe",
                          "ScreenConnect.WindowsClient.exe",
                          "ScreenConnect.WindowsBackstageShell.exe")
   or ProcessCommandLine has_any ("&e=Access&y=Guest", "screenconnect.com")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process"
and (
   src.process.image.path contains:anycase "ScreenConnect."
   or src.process.cmdline contains:anycase "screenconnect.com"
   or src.process.cmdline contains "&e=Access&y=Guest"
)
| columns endpoint.name, src.process.user, src.process.image.path, src.process.cmdline

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName IN ("ScreenConnect.ClientService.exe","ScreenConnect.WindowsClient.exe","ScreenConnect.WindowsBackstageShell.exe")
 OR CommandLine="*&e=Access&y=Guest*"
 OR CommandLine="*screenconnect.com*")
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName

[OR DNS:]
event_simpleName=DnsRequest DomainName="*screenconnect.com"
| stats count values(ContextBaseFileName) as procs by DomainName ComputerName

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)^ScreenConnect\./ 
  OR CommandLine=/(?i)(screenconnect\.com|&e=Access&y=Guest)/
| select([@timestamp, ComputerName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live processes
SELECT Pid, Name, Exe, CommandLine, Username FROM pslist()
WHERE Name =~ "(?i)^ScreenConnect\\."
   OR CommandLine =~ "(?i)(screenconnect\\.com|&e=Access&y=Guest)"

-- Services — one per ScreenConnect tenant instance
SELECT Name, DisplayName, PathName, StartMode, ServiceAccount
FROM Artifact.Windows.System.Services()
WHERE Name =~ "(?i)ScreenConnect Client"

-- Enumerate installed instances (each tenant ID = unique folder)
SELECT FullPath, Mtime FROM glob(globs=[
   "C:/Program Files (x86)/ScreenConnect Client (*)",
   "C:/Program Files/ScreenConnect Client (*)"
])
WHERE IsDir

-- Pull the system.config which contains the C2 URL + tenant ID (IR pivot)
SELECT FullPath, read_file(filename=FullPath, length=8192) AS Body
FROM glob(globs="C:/Program Files (x86)/ScreenConnect Client (*)/system.config")

---

2.6 Atera RMM

Indicator	Value
Process names	AteraAgent.exe, AgentPackageMonitoring.exe, AgentPackageNetworkDiscovery.exe, AgentPackageSTRemote.exe, AgentPackageADRecommendation.exe, AgentPackageAgentInformation.exe, AgentPackageTaskScheduler.exe
Service	AteraAgent
Install paths	C:\Program Files\ATERA Networks\AteraAgent\
Network	*.atera.com, app.atera.com, agent-api.atera.com, pubsub.pubnub.com (Atera uses PubNub for command channel)
Files	%PROGRAMDATA%\ATERA Networks\AteraAgent\AgentSettings.dat
Tells	Bundled with Splashtop Streamer (SRService.exe, SRManager.exe)

MDE / KQL

DeviceProcessEvents
| where FileName has_any ("AteraAgent.exe", "AgentPackageMonitoring.exe",
                          "AgentPackageNetworkDiscovery.exe", "AgentPackageSTRemote.exe",
                          "AgentPackageTaskScheduler.exe")
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| union (
   DeviceNetworkEvents
   | where RemoteUrl has_any ("atera.com", "pubsub.pubnub.com")
   | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
)

SentinelOne / PowerQuery

event.category = "process" and (
   src.process.image.path contains:anycase "AteraAgent"
   or src.process.image.path contains:anycase "AgentPackage"
)
or (event.category = "dns" and dns.request contains:anycase "atera.com")
| columns endpoint.name, src.process.image.path, src.process.cmdline, dns.request

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
FileName IN ("AteraAgent.exe","AgentPackageMonitoring.exe","AgentPackageNetworkDiscovery.exe","AgentPackageSTRemote.exe","AgentPackageTaskScheduler.exe","AgentPackageADRecommendation.exe","AgentPackageAgentInformation.exe","SRService.exe","SRManager.exe")
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName

[OR DNS:]
event_simpleName=DnsRequest DomainName IN ("*atera.com","*pubnub.com","agent-api.atera.com")
| stats count values(ContextBaseFileName) as procs by DomainName ComputerName

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)^(AteraAgent|AgentPackage|SRService|SRManager)/
| select([@timestamp, ComputerName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live processes (Atera agent + bundled Splashtop)
SELECT Pid, Name, Exe, CommandLine, Username FROM pslist()
WHERE Name =~ "(?i)^(AteraAgent|AgentPackage|SRService|SRManager)"

-- Service
SELECT Name, DisplayName, PathName, StartMode FROM Artifact.Windows.System.Services()
WHERE Name =~ "(?i)AteraAgent"

-- AgentSettings.dat — contains the Atera customer/tenant ID
SELECT FullPath, Mtime, Size FROM glob(globs=[
   "C:/ProgramData/ATERA Networks/AteraAgent/AgentSettings.dat",
   "C:/Program Files/ATERA Networks/AteraAgent/AgentSettings.dat"
])

-- Recent installations from the MSI installer log
SELECT FullPath, Mtime, Size FROM glob(globs="C:/Windows/Installer/*.msi")
WHERE Size > 1000000 AND Mtime > timestamp(epoch=now()-86400*30)

---

2.7 WinRAR — Staging archives

Indicator	Value
Process names	rar.exe, WinRAR.exe, Rar.exe (also portable)
Cmdline tells	a (add), -hp (password header), -p (password), -v (volume), -m5 (max compression), -r (recursive), -ta (after date), -x (exclude)
Output paths	%TEMP%, %APPDATA%, C:\Users\Public\, C:\PerfLogs\, C:\ProgramData\
Companion tools	Frequently preceded by dir, findstr, Get-ChildItem enumeration; followed by Rclone/WinSCP/Restic

MDE / KQL

DeviceProcessEvents
| where FileName in~ ("rar.exe", "winrar.exe")
| where ProcessCommandLine has_any ("-hp", "-p ", "-v", "-m5", " a ")
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process"
and src.process.image.path matches "(?i)\\\\(rar|winrar)\\.exe$"
and src.process.cmdline matches "(?i)\\s(-hp|-p\\s|-v\\d|-m5|\\sa\\s)"
| columns endpoint.name, src.process.user, src.process.cmdline, src.process.parent.cmdline

CrowdStrike / Event Search

event_simpleName=ProcessRollup2 FileName IN (rar.exe, WinRAR.exe, Rar.exe)
| regex CommandLine="(?i)\\s(-hp|-p\\s|-v\\d|-m5|\\sa\\s)"
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName ParentCommandLine

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)^(rar|winrar)\.exe$/
| CommandLine=/(?i)\s(-hp|-p\s|-v\d|-m5|\sa\s)/
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentCommandLine])

Velociraptor / VQL

-- Live archiver with suspicious flags
SELECT Pid, Name, Exe, CommandLine, Username FROM pslist()
WHERE Name =~ "(?i)^(rar|winrar)\\.exe$"
  AND CommandLine =~ "(?i)\\s(-hp|-p\\s|-v\\d|-m5|\\sa\\s)"

-- Recently created RAR archives in common staging locations
SELECT FullPath, Mtime, Size, Hash.SHA256 AS SHA256
FROM glob(globs=[
   "C:/Users/Public/**/*.rar",
   "C:/Users/Public/**/*.r0?",
   "C:/Windows/Temp/**/*.rar",
   "C:/Windows/Temp/**/*.r0?",
   "C:/PerfLogs/**/*.rar",
   "C:/ProgramData/**/*.rar",
   "C:/Users/*/AppData/Local/Temp/**/*.rar"
])
WHERE Size > 1048576 AND Mtime > timestamp(epoch=now()-86400*14)

-- Prefetch (rar.exe execution history with run count and last 8 run times)
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ "(?i)(WINRAR|^RAR)"

---

2.8 Restic — Backup tool abused for exfil

Indicator	Value
Process names	restic.exe (often renamed; check OriginalFileName=restic)
Cmdline tells	restic backup, restic init, --repo, -r b2:, -r s3:, -r rest:, --no-cache, --password-file
Network	Backblaze B2 (*.backblazeb2.com), S3 endpoints, attacker REST server on HTTPS
Env vars	RESTIC_PASSWORD, RESTIC_REPOSITORY, B2_ACCOUNT_ID, B2_ACCOUNT_KEY

MDE / KQL

DeviceProcessEvents
| where FileName =~ "restic.exe"
     or ProcessVersionInfoOriginalFileName =~ "restic"
     or ProcessCommandLine matches regex @"(?i)\brestic\s+(backup|init|snapshots|forget|prune)\b"
     or ProcessCommandLine has_any ("--repo", "RESTIC_REPOSITORY", "--password-file", "-r b2:", "-r s3:", "-r rest:")
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process" and (
   src.process.image.path contains:anycase "restic.exe"
   or src.process.cmdline matches "(?i)\\brestic\\s+(backup|init|snapshots|forget|prune)\\b"
   or src.process.cmdline matches "(?i)(-r\\s+(b2|s3|rest):|--repo|--password-file|RESTIC_REPOSITORY)"
)
| columns endpoint.name, src.process.user, src.process.cmdline, src.process.publisher.name

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName=restic.exe
 OR CommandLine="*restic backup*" OR CommandLine="*restic init*"
 OR CommandLine="*restic snapshots*" OR CommandLine="*restic forget*" OR CommandLine="*restic prune*"
 OR CommandLine="*--repo*" OR CommandLine="*RESTIC_REPOSITORY*" OR CommandLine="*--password-file*"
 OR CommandLine IN ("*-r b2:*","*-r s3:*","*-r rest:*"))
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)restic\.exe/ 
  OR CommandLine=/(?i)\brestic\s+(backup|init|snapshots|forget|prune)\b/
  OR CommandLine=/(?i)(-r\s+(b2|s3|rest):|--repo|--password-file|RESTIC_REPOSITORY)/
| select([@timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live process + read environment (Restic stores repo URL + credentials in env vars)
SELECT Pid, Name, Exe, CommandLine, Username,
       Env.RESTIC_REPOSITORY AS Repo,
       Env.RESTIC_PASSWORD_FILE AS PwFile,
       Env.B2_ACCOUNT_ID AS B2Acct,
       Env.AWS_ACCESS_KEY_ID AS S3Key,
       Hash.SHA256 AS SHA256,
       VersionInformation.OriginalFilename AS OrigName
FROM pslist()
WHERE Name =~ "(?i)restic\\.exe"
   OR lowcase(VersionInformation.OriginalFilename) = "restic"
   OR CommandLine =~ "(?i)\\brestic\\s+(backup|init|snapshots|forget|prune)\\b"
   OR CommandLine =~ "(?i)(-r\\s+(b2|s3|rest):|--repo|--password-file|RESTIC_REPOSITORY)"

-- Prefetch
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ "(?i)RESTIC"

-- Amcache (catches renamed restic.exe via hash)
SELECT * FROM Artifact.Windows.Forensics.Amcache()
WHERE Name =~ "(?i)restic" OR SHA1 != ""

---

2.9 TightVNC

Indicator	Value
Process names	tvnserver.exe, tvnviewer.exe
Service	tvnserver (auto-start, runs as SYSTEM by default)
Install path	C:\Program Files\TightVNC\
Listen port	TCP 5900 (server), 5800 (Java viewer)
Registry	HKLM\SOFTWARE\TightVNC\Server (Password, ControlPassword are obfuscated, not encrypted)
Cmdline tells	-install, -silent, -controlservice, -reload

MDE / KQL

DeviceProcessEvents
| where FileName in~ ("tvnserver.exe", "tvnviewer.exe")
   or ProcessCommandLine has_any ("tvnserver", "-controlservice", "TightVNC")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| union (
   DeviceRegistryEvents
   | where RegistryKey has @"SOFTWARE\TightVNC\Server"
)

SentinelOne / PowerQuery

event.category = "process" and src.process.image.path matches "(?i)\\\\(tvnserver|tvnviewer)\\.exe$"
or (event.category = "registry" and registry.keyPath contains:anycase "SOFTWARE\\TightVNC")
| columns endpoint.name, src.process.image.path, src.process.cmdline, registry.keyPath

CrowdStrike / Event Search

event_simpleName=ProcessRollup2 FileName IN (tvnserver.exe, tvnviewer.exe)
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName

[OR Registry:]
event_simpleName=RegistryOperationDetected RegObjectName="*\\SOFTWARE\\TightVNC*"
| table _time aid ComputerName ContextBaseFileName RegObjectName RegValueName RegStringValue

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)^(tvnserver|tvnviewer)\.exe$/
| select([@timestamp, ComputerName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live process
SELECT Pid, Name, Exe, CommandLine FROM pslist()
WHERE Name =~ "(?i)^(tvnserver|tvnviewer)\\.exe$"

-- Service
SELECT * FROM Artifact.Windows.System.Services()
WHERE Name =~ "(?i)tvnserver"

-- Registry — extract the obfuscated VNC passwords (DES-obfuscated, not encrypted)
-- These hex blobs can be decoded offline with vncpwd / Metasploit auxiliary modules
SELECT FullPath, Data
FROM glob(
   globs="HKEY_LOCAL_MACHINE/SOFTWARE/TightVNC/Server/*",
   accessor="registry"
)
WHERE Name IN ("Password", "ControlPassword", "RfbPort", "HttpPort")

-- Listening on VNC ports
SELECT * FROM Artifact.Windows.Network.NetstatEnriched()
WHERE Status = "LISTEN" AND Laddr.Port IN (5900, 5800)

---

2.10 WinSCP — Scripted exfil

Indicator	Value
Process names	WinSCP.exe (GUI), winscp.com (CLI), WinSCPnet.dll (.NET assembly use from PS)
Cmdline tells	/script=, /command, open sftp://, open ftp://, open ftps://, put, synchronize, /log=, /ini=nul
Powershell usage	Add-Type -Path "WinSCPnet.dll", [WinSCP.Session]
Files	%APPDATA%\WinSCP.ini, scripts in %TEMP%

MDE / KQL

DeviceProcessEvents
| where FileName in~ ("winscp.exe", "winscp.com")
   or ProcessCommandLine has_any ("/script=", "/ini=nul", "open sftp://", "open ftps://", "WinSCPnet.dll", "[WinSCP.Session]")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process" and (
   src.process.image.path matches "(?i)\\\\winscp\\.(exe|com)$"
   or src.process.cmdline matches "(?i)(/script=|/ini=nul|open\\s+(sftp|ftps?)://|WinSCPnet\\.dll|\\[WinSCP\\.Session\\])"
)
| columns endpoint.name, src.process.user, src.process.cmdline, src.process.parent.cmdline

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName IN (WinSCP.exe, winscp.com)
 OR CommandLine="*/script=*" OR CommandLine="*/ini=nul*"
 OR CommandLine="*open sftp://*" OR CommandLine="*open ftps://*" OR CommandLine="*open ftp://*"
 OR CommandLine="*WinSCPnet.dll*" OR CommandLine="*[WinSCP.Session]*")
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName ParentCommandLine

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)^winscp\.(exe|com)$/ 
  OR CommandLine=/(?i)(\/script=|\/ini=nul|open\s+(sftp|ftps?):\/\/|WinSCPnet\.dll|\[WinSCP\.Session\])/
| select([@timestamp, ComputerName, UserName, CommandLine, ParentCommandLine])

Velociraptor / VQL

-- Live process
SELECT Pid, Name, Exe, CommandLine, Username FROM pslist()
WHERE Name =~ "(?i)^winscp\\.(exe|com)$"
   OR CommandLine =~ "(?i)(/script=|/ini=nul|open\\s+(sftp|ftps?)://|WinSCPnet\\.dll|\\[WinSCP\\.Session\\])"

-- WinSCP.ini — contains saved session host/port/username (and weakly-protected stored passwords)
SELECT FullPath, Mtime, Size,
       read_file(filename=FullPath, length=16384) AS Body
FROM glob(globs=[
   "C:/Users/*/AppData/Roaming/WinSCP.ini",
   "C:/Users/*/Documents/WinSCP.ini"
])

-- Hunt for dropped WinSCP script files in temp (low-FP indicator)
SELECT FullPath, Mtime, Size,
       read_file(filename=FullPath, length=4096) AS Preview
FROM glob(globs=[
   "C:/Users/*/AppData/Local/Temp/*.txt",
   "C:/Windows/Temp/*.txt",
   "C:/Users/*/AppData/Local/Temp/*.script"
])
WHERE Preview =~ "(?i)(open\\s+(sftp|ftps?)://|put\\s+|synchronize\\s)"

---

2.11 Pandora RC

Indicator	Value
Process names	PandoraRC.exe, pandora_rc_agent.exe, sometimes eHorus (rebrand)
Install paths	C:\Program Files\eHorus Agent\, %PROGRAMDATA%\Pandora RC\
Service	eHorusAgent, Pandora RC Agent
Network	*.pandorafms.com, *.ehorus.com, port 18080 / 443
Files	eHorus.conf, agent.conf

MDE / KQL

DeviceProcessEvents
| where FileName has_any ("PandoraRC.exe", "pandora_rc_agent.exe", "eHorus")
   or ProcessCommandLine has_any ("pandora_rc", "ehorus", "pandorafms")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| union (
   DeviceNetworkEvents
   | where RemoteUrl has_any ("pandorafms.com", "ehorus.com")
)

SentinelOne / PowerQuery

event.category = "process" and (
   src.process.image.path contains:anycase "PandoraRC"
   or src.process.image.path contains:anycase "ehorus"
)
or (event.category = "dns" and dns.request matches "(?i)(pandorafms|ehorus)\\.com")

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName IN ("PandoraRC.exe","pandora_rc_agent.exe")
 OR ImageFileName="*\\eHorus*"
 OR CommandLine="*pandora_rc*" OR CommandLine="*ehorus*")
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName

[OR DNS:]
event_simpleName=DnsRequest DomainName IN ("*pandorafms.com","*ehorus.com")
| stats count values(ContextBaseFileName) as procs by DomainName ComputerName

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)(pandorarc|pandora_rc_agent|ehorus)/ OR ImageFileName=/(?i)\\eHorus\\/
| select([@timestamp, ComputerName, ImageFileName, CommandLine, ParentBaseFileName])

Velociraptor / VQL

-- Live process
SELECT Pid, Name, Exe, CommandLine FROM pslist()
WHERE Name =~ "(?i)(PandoraRC|pandora_rc_agent|ehorus)"

-- Service
SELECT * FROM Artifact.Windows.System.Services()
WHERE Name =~ "(?i)(eHorus|Pandora ?RC)"

-- Config files (contains C2 server URL + agent identifier)
SELECT FullPath, Mtime, Size,
       read_file(filename=FullPath, length=8192) AS Body
FROM glob(globs=[
   "C:/Program Files/eHorus Agent/eHorus.conf",
   "C:/Program Files (x86)/eHorus Agent/eHorus.conf",
   "C:/ProgramData/Pandora RC/agent.conf",
   "C:/ProgramData/eHorus/*.conf"
])

---

2.12 Chisel — TCP-over-WebSocket tunnel

Indicator	Value
Process names	chisel.exe (almost always renamed; check OriginalFileName=chisel or Go build ID)
Cmdline tells	client , server , R:, --reverse, --auth, --keepalive, :443, :8080 followed by socks
Behaviour	Single process making persistent outbound 443/80 WebSocket to an unfamiliar IP/host
Source	Open-source jpillora/chisel — strings often present unmodified

MDE / KQL

DeviceProcessEvents
| where FileName =~ "chisel.exe"
     or ProcessVersionInfoOriginalFileName has "chisel"
     or ProcessCommandLine matches regex @"(?i)\b(client|server)\b.*\b(R:\d+:|socks|--reverse|--auth)\b"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine

SentinelOne / PowerQuery

event.category = "process" and (
   src.process.image.path contains:anycase "chisel"
   or src.process.cmdline matches "(?i)\\b(client|server)\\b.*\\b(R:\\d+:|socks|--reverse|--auth)\\b"
)
| columns endpoint.name, src.process.image.path, src.process.cmdline, src.process.publisher.name

CrowdStrike / Event Search

event_simpleName=ProcessRollup2
(FileName=chisel.exe
 OR ImageFileName="*\\chisel*"
 OR (CommandLine="*client*" AND (CommandLine="* R:*" OR CommandLine="*socks*"))
 OR (CommandLine="*--reverse*" AND CommandLine="*--auth*"))
| regex CommandLine="(?i)\\b(client|server)\\b.*\\b(R:\\d+:|socks|--reverse|--auth)\\b"
| table _time aid ComputerName UserName ImageFileName CommandLine ParentBaseFileName SHA256HashData

CrowdStrike / LogScale CQL

#event_simpleName=ProcessRollup2
| FileName=/(?i)chisel/ 
  OR CommandLine=/(?i)\b(client|server)\b.*\b(R:\d+:|socks|--reverse|--auth)\b/
| select([@timestamp, ComputerName, ImageFileName, CommandLine, ParentBaseFileName, SHA256HashData])

Velociraptor / VQL

-- Live process (catches renamed Chisel via PE metadata + Go binary characteristics)
SELECT Pid, Name, Exe, CommandLine, Username,
       Hash.SHA256 AS SHA256,
       VersionInformation.OriginalFilename AS OrigName,
       VersionInformation.CompanyName AS Company,
       VersionInformation.FileDescription AS FileDesc
FROM pslist()
WHERE Name =~ "(?i)chisel"
   OR lowcase(VersionInformation.OriginalFilename) = "chisel"
   OR CommandLine =~ "(?i)\\b(client|server)\\b.*\\b(R:\\d+:|socks|--reverse|--auth)\\b"

-- YARA scan of running processes for unmodified Chisel string constants
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
   Yara='''
rule chisel_tunnel {
   strings:
      $a1 = "github.com/jpillora/chisel" ascii
      $a2 = "chisel client" ascii
      $a3 = "Reverse tunnelling" ascii
      $a4 = "Fingerprint" ascii wide
      $a5 = "PROXY/1.0" ascii
      $a6 = "/chisel/v1" ascii
   condition: 2 of them
}
'''
)

-- Outbound long-lived connections from suspicious binaries on web ports
SELECT Hostname, Process.Name AS Proc, Process.Pid AS Pid,
       Laddr.IP AS LocalIP, Raddr.IP AS RemoteIP, Raddr.Port AS RPort, Status
FROM Artifact.Windows.Network.NetstatEnriched()
WHERE Status = "ESTAB"
  AND Raddr.Port IN (443, 80, 8080, 8443)
  AND (Process.Name =~ "(?i)chisel"
       OR Process.Exe =~ "(?i)\\\\(Temp|AppData|ProgramData|Users\\\\Public)\\\\[^\\\\]+\\.exe$")

---

3 — Consolidated / Meta Hunts

3.1 MDE — Any-of-the-above process (single sweep)

let SuspectFiles = dynamic([
    "rclone.exe","anydesk.exe","screenconnect.clientservice.exe","screenconnect.windowsclient.exe",
    "ateraagent.exe","agentpackagemonitoring.exe","agentpackagenetworkdiscovery.exe","agentpackagestremote.exe",
    "rar.exe","winrar.exe","restic.exe","tvnserver.exe","tvnviewer.exe",
    "winscp.exe","winscp.com","pandorarc.exe","ehorus.exe","chisel.exe","tscon.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(14d)
| where tolower(FileName) in (SuspectFiles)
     or tolower(ProcessVersionInfoOriginalFileName) in (SuspectFiles)
| summarize Count = count(), Devices = make_set(DeviceName, 100),
            Users = make_set(AccountName, 50), Cmdlines = make_set(ProcessCommandLine, 20)
            by FileName = tolower(FileName)
| order by Count desc

3.2 MDE — Cloud / RMM beacon traffic

let SuspectDomains = dynamic([
    "anydesk.com","screenconnect.com","atera.com","pubnub.com","pandorafms.com","ehorus.com",
    "mega.nz","mega.co.nz","pcloud.com","backblazeb2.com","mediafire.com","koofr.net"
]);
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where RemoteUrl has_any (SuspectDomains)
| summarize Hits = count(), Devices = make_set(DeviceName, 50),
            Procs = make_set(InitiatingProcessFileName, 30) by RemoteUrl
| order by Hits desc

3.3 MDE — Renamed-binary hunt (PE OriginalFileName mismatch)

DeviceProcessEvents
| where Timestamp > ago(14d)
| where isnotempty(ProcessVersionInfoOriginalFileName)
| where tolower(ProcessVersionInfoOriginalFileName) in 
    ("rclone.exe","restic","chisel","rar.exe","winscp.exe","anydesk.exe")
| where tolower(FileName) != tolower(ProcessVersionInfoOriginalFileName)
| project Timestamp, DeviceName, FileName, ProcessVersionInfoOriginalFileName,
          FolderPath, ProcessCommandLine, SHA256

3.4 SentinelOne — Any-of-the-above process

event.category = "process" and event.type = "Process Creation"
and (
   src.process.image.path matches "(?i)\\\\(rclone|anydesk|screenconnect\\.|ateraagent|agentpackage|rar|winrar|restic|tvnserver|tvnviewer|winscp|pandorarc|ehorus|chisel|tscon)\\.(exe|com)$"
   or src.process.publisher.name in:anycase ("AnyDesk Software GmbH","Connectwise, LLC","ATERA NETWORKS LTD","TightVNC Software","Martin Prikryl")
)
| group count = count() by endpoint.name, src.process.image.path, src.process.user
| sort - count

3.5 SentinelOne — Renamed binaries by publisher / OriginalFileName

event.category = "process"
and src.process.verifiedSigner = "true"
and src.process.publisher.name in:anycase ("AnyDesk Software GmbH","Connectwise, LLC","ATERA NETWORKS LTD")
and not src.process.image.path contains:anycase src.process.publisher.name
| columns endpoint.name, src.process.image.path, src.process.publisher.name, src.process.cmdline

3.6 SentinelOne — Beaconing DNS

event.category = "dns"
and dns.request matches "(?i)(anydesk|screenconnect|atera|pubnub|pandorafms|ehorus|mega\\.nz|mega\\.co\\.nz|pcloud|backblazeb2|mediafire|koofr)\\."
| group hits = count() by endpoint.name, dns.request, src.process.image.path
| sort - hits

3.7 CrowdStrike / Event Search — Any-of-the-above process

event_simpleName=ProcessRollup2
FileName IN ("rclone.exe","AnyDesk.exe","ScreenConnect.ClientService.exe","ScreenConnect.WindowsClient.exe","ScreenConnect.WindowsBackstageShell.exe",
             "AteraAgent.exe","AgentPackageMonitoring.exe","AgentPackageNetworkDiscovery.exe","AgentPackageSTRemote.exe","AgentPackageTaskScheduler.exe",
             "rar.exe","WinRAR.exe","Rar.exe","restic.exe","tvnserver.exe","tvnviewer.exe",
             "WinSCP.exe","winscp.com","PandoraRC.exe","pandora_rc_agent.exe","chisel.exe","tscon.exe")
| stats count dc(ComputerName) as Hosts values(ComputerName) as HostList values(UserName) as Users values(CommandLine) as Cmdlines by FileName
| sort -count

3.8 CrowdStrike / Event Search — Beaconing DNS

event_simpleName=DnsRequest
DomainName IN ("*anydesk.com","*screenconnect.com","*atera.com","*pubnub.com","*pandorafms.com","*ehorus.com",
               "*mega.nz","*mega.co.nz","*pcloud.com","*backblazeb2.com","*mediafire.com","*koofr.net")
| stats count dc(ComputerName) as Hosts values(ComputerName) as HostList values(ContextBaseFileName) as Procs by DomainName
| sort -count

3.9 CrowdStrike / Event Search — Renamed-binary hunt (no OriginalFileName surface)

event_simpleName=ProcessRollup2 ImageSubsystem=*
| eval suspicious_size=if((FileSize>5000000 AND FileSize<60000000), 1, 0)
| where suspicious_size=1
| search (CompanyName="" OR CompanyName=null) AND (FileDescription="" OR FileDescription=null)
| table _time aid ComputerName ImageFileName FileSize CompanyName FileDescription SHA256HashData CommandLine

(CrowdStrike does not surface PE OriginalFileName natively in Event Search — use the absence of CompanyName/FileDescription + Go binary size profile, then pivot SHA256 in IOC Management or third-party tools.)

3.10 CrowdStrike / LogScale CQL — Any-of-the-above process

#event_simpleName=ProcessRollup2
| FileName=/(?i)^(rclone|anydesk|screenconnect\.|ateraagent|agentpackage|rar|winrar|restic|tvnserver|tvnviewer|winscp|pandorarc|pandora_rc_agent|ehorus|chisel|tscon)\.(exe|com)$/
| groupBy([FileName], function=[count(), collect([ComputerName, UserName, CommandLine], limit=20)])
| sort(_count, order=desc)

3.11 CrowdStrike / LogScale CQL — RMM/cloud beacon DNS

#event_simpleName=DnsRequest
| DomainName=/(?i)(anydesk|screenconnect|atera|pubnub|pandorafms|ehorus|mega\.(nz|co\.nz)|pcloud|backblazeb2|mediafire|koofr)\./
| groupBy([DomainName], function=[count(), collect_distinct(ComputerName), collect_distinct(ContextBaseFileName)])
| sort(_count, order=desc)

3.12 Velociraptor — Fleet-wide live process sweep

LET tools = ("rclone.exe","anydesk.exe","screenconnect.clientservice.exe","screenconnect.windowsclient.exe",
             "ateraagent.exe","agentpackagemonitoring.exe","agentpackagenetworkdiscovery.exe","agentpackagestremote.exe",
             "rar.exe","winrar.exe","restic.exe","tvnserver.exe","tvnviewer.exe",
             "winscp.exe","winscp.com","pandorarc.exe","ehorus.exe","chisel.exe","tscon.exe")

SELECT Pid, Name, Exe, CommandLine, Username,
       Hash.SHA256 AS SHA256,
       VersionInformation.OriginalFilename AS OrigName,
       VersionInformation.CompanyName AS Company
FROM pslist()
WHERE lowcase(Name) IN tools
   OR lowcase(VersionInformation.OriginalFilename) IN tools

3.13 Velociraptor — Prefetch sweep (historical execution, ~30-day window)

SELECT * FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ "(?i)^(RCLONE|ANYDESK|SCREENCONNECT|ATERAAGENT|AGENTPACKAGE|WINRAR|RAR|RESTIC|TVNSERVER|TVNVIEWER|WINSCP|PANDORARC|EHORUS|CHISEL|TSCON)"

3.14 Velociraptor — Amcache (binaries ever run, with SHA1 for hash pivot)

SELECT * FROM Artifact.Windows.Forensics.Amcache()
WHERE Name =~ "(?i)(rclone|anydesk|screenconnect|ateraagent|agentpackage|rar|winrar|restic|tvnserver|tvnviewer|winscp|pandorarc|ehorus|chisel)"

3.15 Velociraptor — Renamed-binary hunt via PE metadata

LET targets = ("rclone.exe", "restic", "chisel", "rar.exe", "winscp.exe", "anydesk.exe")

SELECT Pid, Name, Exe, CommandLine, Username,
       lowcase(VersionInformation.OriginalFilename) AS OrigName,
       VersionInformation.CompanyName AS Company,
       VersionInformation.FileDescription AS FileDesc,
       Hash.SHA256 AS SHA256
FROM pslist()
WHERE lowcase(VersionInformation.OriginalFilename) IN targets
  AND lowcase(Name) != lowcase(VersionInformation.OriginalFilename)

3.16 Velociraptor — Combined YARA hunt across all process memory

SELECT * FROM Artifact.Windows.Detection.Yara.Process(
   Yara='''
rule ransomware_tooling_combined {
   strings:
      $rclone1 = "rclone.org" ascii
      $rclone2 = "configure your remote" ascii
      $restic1 = "github.com/restic/restic" ascii
      $restic2 = "restic.repository" ascii
      $chisel1 = "github.com/jpillora/chisel" ascii
      $chisel2 = "Reverse tunnelling" ascii
      $cs1 = "%c%c%c%c%c%c%c%cMSSE" ascii
      $cs2 = "ReflectiveLoader" ascii
      $cs3 = { 4D 5A 41 52 55 48 89 E5 48 81 EC }
      $anydesk1 = "AnyDesk Software" wide
      $screenconnect1 = "ScreenConnect.ClientService" ascii
   condition: any of them
}
'''
)

3.17 Velociraptor — Network-side hunt (active connections / listeners)

SELECT Hostname, Process.Name AS Proc, Process.Pid AS Pid,
       Laddr.IP AS LocalIP, Laddr.Port AS LPort,
       Raddr.IP AS RemoteIP, Raddr.Port AS RPort, Status
FROM Artifact.Windows.Network.NetstatEnriched()
WHERE Status IN ("LISTEN", "ESTAB")
  AND (
     Laddr.Port IN (5900, 5800, 8040, 8041, 18080)
     OR Raddr.Port IN (6568, 18080)
     OR Process.Name =~ "(?i)(rclone|anydesk|screenconnect|atera|winscp|restic|chisel|tvnserver|pandorarc|ehorus)"
  )

---

4 — Suggested Detection Logic (high-signal combos)

Combo	Logic	Confidence
WinRAR + Rclone within 60 min on same host	Stage → exfil sequence	High
AnyDesk install from %TEMP% or %APPDATA% parent = browser/script	Drop-and-run RAT	High
tscon.exe /dest: from non-admin account	Session hijack	High
Restic init to public IP REST/S3/B2 endpoint	Adversary-controlled repo	High
Chisel client R: cmdline	Reverse tunnel	Critical
ScreenConnect from non-corporate tenant ID	Rogue MSP / abuse	High
Atera install outside change-window from non-admin	Likely intrusion	Medium-High
RDP fan-out: one src → ≥5 dst within 1h	Lateral movement	High
Cobalt Strike default named pipe pattern	Beacon	Critical
WinSCP /script= with open sftp:// to public IP	Scripted exfil	High

---

5 — Tuning Notes

Topic	Note
Allow-list IT-sanctioned RMM	Maintain a table of authorised tenants (ScreenConnect instance IDs, Atera customer IDs, AnyDesk License IDs). Alert on any other.
RDP baselining	Build a known jump-host list; suppress matches where source ∈ jump-host list.
Cobalt Strike defaults	Mature actors customise pipes via Malleable C2 — these queries catch lazy operators; pair with sleep-mask / unbacked-RWX memory hunts.
Renamed binaries — MDE	ProcessVersionInfoOriginalFileName is the highest-fidelity signal for renamed Rclone/Restic/Chisel/WinSCP.
Renamed binaries — S1	Use src.process.publisher.name + image path mismatch.
Renamed binaries — CrowdStrike	Event Search does not expose PE OriginalFileName; pivot on missing CompanyName/FileDescription, Go binary size profile (5–60 MB single-file), and SHA256 IOC import.
Renamed binaries — Velociraptor	pslist() exposes VersionInformation.OriginalFilename directly — the cleanest signal of the four platforms (§3.15).
AnyDesk customer-id binaries	Custom-built AnyDesk MSIs carry the operator’s licence ID in the binary; collect and pivot in IR.
Public-IP RDP	If exposed legitimately (which you should challenge), suppress on known admin source ranges only.
WinRAR upgrade	Post-CVE-2023-38831, also alert on rar.exe spawning from email-client / archive-viewer parent.
CrowdStrike retention	Event Search default look-back is 7 days; for the 14–30 day windows in the meta-hunts use LogScale / NG-SIEM.
Velociraptor hunt model	Collection-based, not streaming — schedule §3.12–3.17 as hunts and review aggregated results. Best for thorough sweeps + IR; not real-time alerting. The packaged artifact in §8 runs everything in one collection.

---

6 — MITRE ATT&CK Mapping (quick)

Tool	Tactic	Technique
Rclone, Restic, WinSCP	Exfiltration	T1567.002 (Exfil to Cloud Storage), T1048 (Exfil over Alt Protocol)
AnyDesk, ScreenConnect, Atera, TightVNC, Pandora RC	C2 / Persistence	T1219 (Remote Access Software)
RDP, tscon	Lateral Movement	T1021.001 (RDP), T1563.002 (RDP Hijack)
Cobalt Strike	C2	T1071, T1055, T1573
WinRAR	Collection	T1560.001 (Archive via Utility)
Chisel	C2 / Tunneling	T1572 (Protocol Tunneling)

---

7 — Platform Field Quick-Reference

CrowdStrike

Concept	Event Search field	LogScale CQL field
Event type filter	event_simpleName=ProcessRollup2	#event_simpleName=ProcessRollup2
Process name (leaf)	FileName	FileName
Full image path	ImageFileName	ImageFileName
Command line	CommandLine	CommandLine
Parent process name	ParentBaseFileName	ParentBaseFileName
Parent command line	ParentCommandLine	ParentCommandLine
Host	ComputerName, aid	ComputerName, aid
User	UserName, UserSid	UserName
File hash	SHA256HashData, MD5HashData	SHA256HashData
Network — remote IP	RemoteAddressIP4	RemoteAddressIP4
Network — DNS	event_simpleName=DnsRequest, DomainName	#event_simpleName=DnsRequest, DomainName
Named pipe	event_simpleName=NamedPipeCreate, PipeName	#event_simpleName=NamedPipeCreate, PipeName
Logon	event_simpleName=UserLogon, LogonType	#event_simpleName=UserLogon, LogonType
Registry	event_simpleName=RegistryOperationDetected, RegObjectName, RegValueName	same

Velociraptor

Concept	VQL primitive
Process list	pslist() plugin
Process fields	Name, Pid, Ppid, Exe, CommandLine, Username, Hash.SHA256, VersionInformation.OriginalFilename, VersionInformation.CompanyName, Env.<VAR>, Parent.Name, Parent.CommandLine
File search	glob(globs=["..."]) plugin — fields FullPath, Mtime, Atime, Ctime, Size, IsDir
Registry	glob(globs="...", accessor="registry") — Data, FullPath, Name
Event log parsing	parse_evtx(filename="...") or Artifact.Windows.EventLogs.*
YARA — process memory	Artifact.Windows.Detection.Yara.Process(Yara="...")
YARA — files	Artifact.Windows.Detection.Yara.Glob(Yara="...", GlobExpression="...")
Prefetch	Artifact.Windows.Forensics.Prefetch()
Amcache	Artifact.Windows.Forensics.Amcache()
RDP bitmap cache	Artifact.Windows.Forensics.RDPCache()
RDP auth events	Artifact.Windows.EventLogs.RDPAuth()
Services	Artifact.Windows.System.Services()
Network/Netstat	Artifact.Windows.Network.NetstatEnriched()
Read file content	read_file(filename="...", length=N)
Regex match	=~ operator (PCRE)
Set membership	IN operator

Equivalent event names exist on macOS/Linux Falcon sensors (ProcessRollup2 is cross-platform; RegistryOperationDetected is Windows-only). Velociraptor has corresponding macOS/Linux artifacts under MacOS.* and Linux.* namespaces.

---

8 — Velociraptor Packaged Hunt Artifact

Drop the YAML below into the Velociraptor server (Artifacts → Add artifact) and schedule it as a hunt against the Windows fleet. Returns six result sources covering live state + forensic execution history in a single collection.

name: Custom.Hunt.RansomwareTooling
description: |
  Fleet hunt for the 12 tools commonly seen in human-operated ransomware
  intrusions (Akira, BlackBasta, LockBit, Play, Royal, RagnarLocker, etc.):
  Rclone, AnyDesk, RDP/tscon, Cobalt Strike, ScreenConnect, Atera, WinRAR,
  Restic, TightVNC, WinSCP, Pandora RC, Chisel.

  Combines live process inspection, Prefetch, Amcache, Services,
  named-pipe enumeration, and the AnyDesk connection_trace into one
  collection.

author: SOC / PPM
type: CLIENT

parameters:
  - name: ProcessNames
    type: csv
    default: |
      Name
      rclone.exe
      anydesk.exe
      screenconnect.clientservice.exe
      screenconnect.windowsclient.exe
      ateraagent.exe
      agentpackagemonitoring.exe
      agentpackagenetworkdiscovery.exe
      agentpackagestremote.exe
      rar.exe
      winrar.exe
      restic.exe
      tvnserver.exe
      tvnviewer.exe
      winscp.exe
      winscp.com
      pandorarc.exe
      ehorus.exe
      chisel.exe
      tscon.exe

  - name: PrefetchRegex
    default: "(?i)^(RCLONE|ANYDESK|SCREENCONNECT|ATERAAGENT|AGENTPACKAGE|WINRAR|RAR|RESTIC|TVNSERVER|TVNVIEWER|WINSCP|PANDORARC|EHORUS|CHISEL|TSCON)"

sources:
  - name: LiveProcesses
    query: |
      LET names <= SELECT lowcase(Name) AS n FROM ProcessNames

      SELECT Pid, Ppid, Name, Exe, CommandLine, Username,
             Hash.SHA256 AS SHA256,
             VersionInformation.OriginalFilename AS OrigName,
             VersionInformation.CompanyName AS Company,
             VersionInformation.FileDescription AS FileDesc,
             Parent.Name AS ParentName,
             Parent.CommandLine AS ParentCmd
      FROM pslist()
      WHERE lowcase(Name) IN names.n
         OR lowcase(VersionInformation.OriginalFilename) IN names.n
         OR CommandLine =~ "(?i)\\b(mega|pcloud|b2|s3|gdrive|ftp|dropbox|mediafire|koofr|yandex):"
         OR CommandLine =~ "(?i)\\b(client|server)\\b.*\\b(R:\\d+:|socks|--reverse|--auth)\\b"

  - name: RenamedBinaries
    query: |
      LET targets = ("rclone.exe", "restic", "chisel", "rar.exe",
                     "winscp.exe", "anydesk.exe")

      SELECT Pid, Name, Exe, CommandLine, Username,
             lowcase(VersionInformation.OriginalFilename) AS OrigName,
             VersionInformation.CompanyName AS Company,
             Hash.SHA256 AS SHA256
      FROM pslist()
      WHERE lowcase(VersionInformation.OriginalFilename) IN targets
        AND lowcase(Name) != lowcase(VersionInformation.OriginalFilename)

  - name: PrefetchHistory
    query: |
      SELECT * FROM Artifact.Windows.Forensics.Prefetch()
      WHERE Executable =~ PrefetchRegex

  - name: AmcacheHistory
    query: |
      SELECT * FROM Artifact.Windows.Forensics.Amcache()
      WHERE Name =~ "(?i)(rclone|anydesk|screenconnect|ateraagent|agentpackage|rar|winrar|restic|tvnserver|tvnviewer|winscp|pandorarc|ehorus|chisel)"

  - name: SuspiciousServices
    query: |
      SELECT Name, DisplayName, PathName, StartMode, ServiceAccount, State
      FROM Artifact.Windows.System.Services()
      WHERE Name =~ "(?i)(anydesk|screenconnect|ateraagent|tvnserver|ehorus|pandora ?rc)"
         OR PathName =~ "(?i)\\\\(Temp|AppData|Users\\\\Public|ProgramData)\\\\[^\\\\]+\\.exe"

  - name: CobaltStrikePipes
    query: |
      SELECT FullPath, Mtime FROM glob(globs="\\\\.\\pipe\\*")
      WHERE FullPath =~ "(?i)\\\\(MSSE-|postex_|postex_ssh_|status_|msagent_)"

  - name: AnyDeskTrace
    query: |
      SELECT FullPath, Mtime, Size,
             read_file(filename=FullPath, length=16384) AS Body
      FROM glob(globs=[
         "C:/ProgramData/AnyDesk/connection_trace.txt",
         "C:/ProgramData/AnyDesk/ad_svc.trace",
         "C:/Users/*/AppData/Roaming/AnyDesk/connection_trace.txt"
      ])

  - name: WinRARArchivesStaged
    query: |
      SELECT FullPath, Mtime, Size, Hash.SHA256 AS SHA256
      FROM glob(globs=[
         "C:/Users/Public/**/*.rar",
         "C:/Users/Public/**/*.r0?",
         "C:/Windows/Temp/**/*.rar",
         "C:/PerfLogs/**/*.rar",
         "C:/ProgramData/**/*.rar"
      ])
      WHERE Size > 1048576
        AND Mtime > timestamp(epoch=now()-86400*14)

  - name: NetworkSuspectConnections
    query: |
      SELECT Hostname, Process.Name AS Proc, Process.Pid AS Pid,
             Laddr.IP AS LocalIP, Laddr.Port AS LPort,
             Raddr.IP AS RemoteIP, Raddr.Port AS RPort, Status
      FROM Artifact.Windows.Network.NetstatEnriched()
      WHERE Status IN ("LISTEN", "ESTAB")
        AND (
           Laddr.Port IN (5900, 5800, 8040, 8041, 18080)
           OR Process.Name =~ "(?i)(rclone|anydesk|screenconnect|atera|winscp|restic|chisel|tvnserver|pandorarc|ehorus)"
        )

Save as Custom.Hunt.RansomwareTooling, then Hunt Manager → New Hunt → Artifacts → Custom.Hunt.RansomwareTooling → Launch. Review each result source independently — RenamedBinaries and CobaltStrikePipes are the lowest-FP sources and warrant immediate IR triage on any hit.