BLUF

 Organizations operating Windows Routing and Remote Access Service infrastructure that is reachable from external networks face elevated enterprise risk because exploitation of these vulnerabilities could allow attackers to execute code on trusted remote-access gateway systems that provide connectivity between external users and internal networks. The vulnerabilities originate from memory-handling weaknesses within RRAS network request processing that may allow specially crafted network traffic to trigger unsafe service behavior. Public vulnerability records describe the issues as remotely exploitable within RRAS components, although currently available reporting has not confirmed active exploitation campaigns associated with these vulnerabilities at the time of this assessment. Security leadership should ensure affected systems are patched immediately and increase monitoring of gateway systems until remediation is verified.

S2A Executive Risk Translation

Compromise of an RRAS gateway could allow attackers to obtain a trusted internal foothold that may enable credential theft, lateral movement, and further compromise of enterprise systems.

S3 Why This Matters Now

Remote-access infrastructure is essential for modern enterprise operations because it enables employees, administrators, and partners to securely connect to internal systems from external networks. Systems providing this functionality often maintain trusted connectivity to authentication infrastructure and internal enterprise services. Vulnerabilities affecting these systems introduce concentrated risk because compromise of a single gateway can create access pathways into multiple internal environments. Prompt remediation significantly reduces the likelihood that attackers could leverage such systems as entry points.

S4 Key Judgments

•           RRAS gateway systems represent high-value initial access targets because they function as trusted remote-access infrastructure brokering authenticated connectivity between external networks and internal enterprise resources.

•           Vulnerabilities affecting externally reachable services frequently attract exploit development once technical details become publicly analyzed.

•           Even a small number of vulnerable gateway systems can create disproportionate organizational risk because they bridge external connectivity and internal networks.

•           Monitoring for abnormal service execution and unusual outbound network activity on gateway systems provides early indicators of potential compromise.

S5 Executive Risk Summary

Organizations exposing RRAS services to external networks face elevated operational risk if the relevant security updates have not yet been applied. Gateway systems commonly maintain connectivity to authentication infrastructure, administrative networks, and internal applications, meaning compromise could provide attackers with a direct foothold inside enterprise environments. Because these systems operate as trusted access points, exploitation could allow attackers to bypass traditional perimeter security controls. Ensuring that RRAS gateway systems is patched and actively monitored significantly reduces the likelihood that attackers could leverage these vulnerabilities for internal network access.

S5A Estimated Probability of Recurrence (12-Month Horizon)

Estimated probability of exploitation attempt
Moderate probability band (25–50 percent)

Drivers influencing probability

·       Exposure of remote-access gateway services to external networks

·       High attacker value associated with gateway compromise for initial access

·       Potential exploit development following vulnerability disclosure

Factors reducing probability

·       Limited prevalence of RRAS compared with many other Windows services

·       Rapid remediation by organizations with mature vulnerability management programs

S6 Executive Cost Summary

Estimated financial exposure associated with compromise of remote-access gateway infrastructure varies depending on attacker objectives and the scope of internal network access obtained.

For organizations affected by RRAS vulnerabilities

Low impact scenario

·       Estimated range: $50,000 – $250,000

·       Limited disruption affecting remote-access operations

·       Investigation validating patch status and system integrity

Moderate impact scenario

·       Estimated range: $250,000 – $1,500,000

·       Security incident response investigation and containment

·       Gateway infrastructure rebuild and credential reset activities

·       Internal network validation to confirm absence of lateral movement

High impact scenario

·       Estimated range: $1,500,000 – $7,000,000

·       Enterprise-wide incident response if attackers move beyond gateway systems

·       Extended disruption of remote-access services

·       Infrastructure restoration and incident recovery costs

Key Cost Drivers

·       Time required to detect gateway compromise

·       Level of internal network access obtained by attackers

·       Scope of infrastructure requiring investigation and remediation

Estimated Annualized Risk Exposure

·       Moderate exposure band reflecting the combination of the estimated 25–50 percent exploitation attempt probability and the potential operational impact associated with gateway compromise.

Control Effectiveness Context

·       Rapid deployment and validation of vendor security updates significantly reduces the likelihood that these vulnerabilities could be leveraged for gateway compromise.

Risk Register Entry

·       Potential compromise of externally reachable RRAS gateway infrastructure resulting from unpatched remote code execution vulnerabilities.

S6A Compliance Exposure Indicator

·       Review of security controls protecting externally exposed infrastructure

·       Internal audit review of vulnerability management and patch deployment practices

·       Potential regulatory reporting requirements depending on incident scope

S6B Risk Drivers

·       External exposure of RRAS gateway services providing remote connectivity into enterprise networks

·       Trusted network position of gateway systems bridging external and internal infrastructure

·       Potential exploit development following vulnerability disclosure of remotely reachable services

·       Operational value of gateway compromise for credential harvesting and follow-on attack activity

S7 Bottom Line for Executives

The RRAS vulnerabilities represent a focused but potentially high-impact exposure affecting externally reachable gateway systems rather than large numbers of endpoint devices. Although the number of affected systems in most environments is limited, those systems often occupy highly trusted positions within enterprise network architecture. Rapid patch deployment and enhanced monitoring of gateway activity significantly reduce the likelihood that attackers could exploit these vulnerabilities to gain internal network access.

S7A Board-Level Takeaway

A small number of externally exposed gateway systems can represent disproportionate enterprise risk, and ensuring that those systems are patched and monitored should be treated as a priority security action.

S8 Affected Sectors and Countries

Affected sectors

·       Government and public sector organizations

·       Financial services institutions

·       Healthcare providers

·       Critical infrastructure operators

·       Enterprise environments operating remote-access gateway infrastructure

Countries affected

·       Global exposure

o   Due to widespread Windows deployment and enterprise remote-access infrastructure

S9 Targeting Probability Assessment

High targeting probability

·       Government networks

·       Financial services organizations

·       Critical infrastructure operators

Moderate targeting probability

·       Large enterprises operating VPN gateway infrastructure

·       Managed service providers

Lower targeting probability

·       Organizations with minimal externally exposed infrastructure

S10 Threat Overview

The March 2026 Windows security update cycle addressed multiple vulnerabilities affecting the Windows Routing and Remote Access Service (RRAS). RRAS provides VPN connectivity, routing services, and remote access capabilities that allow organizations to provide secure remote access to internal network resources.

The vulnerabilities tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 involve memory-handling weaknesses in RRAS network request processing that may allow specially crafted network traffic to trigger unsafe service conditions that could lead to remote code execution.

Because RRAS systems often operate as remote-access gateway infrastructure connecting external users to internal enterprise networks, successful exploitation could allow attackers to obtain a trusted foothold within internal network segments.

S11 Exploit Status

Exploit status assessment

·       Public vulnerability records describe the vulnerabilities as remotely exploitable within RRAS components

·       No confirmed in-the-wild exploitation campaigns have been publicly reported at the time of this assessment

o   CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 are not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog

KEV inclusion criteria

·       CISA adds vulnerabilities to the KEV catalog when there is verified evidence of exploitation in real-world environments

·       At the time of analysis, such evidence has not been confirmed for these RRAS vulnerabilities

Operational implication

·       The vulnerabilities should be classified as potentially exploitable but not confirmed exploited

S12 Exploit Conditions Snapshot

Exploit prerequisites

•           Target system running a vulnerable Windows version
 o RRAS service enabled on the host

•           Network connectivity between attacker and RRAS service
 o Direct network reachability to the gateway system
 o Exposure through VPN or remote-access infrastructure

•           Ability to deliver specially crafted network traffic
 o Malformed network packets interacting with vulnerable RRAS processing routines

Exposure factors increasing exploit feasibility

•           Internet-exposed RRAS gateway infrastructure
 o VPN servers providing remote user connectivity

•           Direct exposure of RRAS services to untrusted networks
 o Public-facing gateway deployments

•           Delayed patch deployment on gateway infrastructure
 o Unpatched remote-access systems accessible from external networks

Exposure factors reducing exploit feasibility

•           RRAS service disabled on affected hosts

•           Network segmentation protecting gateway systems
 o Internal-only routing deployments

Rapid deployment of vendor security updates

Exploit feasibility assessment

·       Exploit feasibility rating: Moderate

·       Rationale

o   Vulnerability class includes integer overflow conditions that historically enable memory corruption exploits

o   RRAS services may be reachable over network connections when deployed as externally accessible gateways

o   Gateway systems frequently operate with elevated privileges

o   Reliable exploit development likely requires patch diff analysis and reverse engineering of packet-processing logic

Infrastructure exposure considerations

·       RRAS commonly operates as enterprise gateway infrastructure

·       Typical deployment scenarios include
 o VPN gateway systems supporting remote workforce connectivity
 o Remote administrative access infrastructure
 o Edge routing services connecting enterprise networks to external environments

S13 Affected Technologies

Affected component

•           Microsoft Windows Routing and Remote Access Service (RRAS)

Associated vulnerabilities

•           CVE-2026-25172

•           CVE-2026-25173

•           CVE-2026-26111

Component functions

•           VPN connectivity services

•           Network routing functionality

•           Remote-access gateway capabilities

Operational context

•           RRAS systems frequently operate as network edge infrastructure

o   Connecting external networks to internal enterprise environments

S13A Patch and Mitigation Status

Vendor remediation status

•           Microsoft addressed these vulnerabilities during the March 2026 Windows security update cycle

•           Systems participating in the Windows hotpatch servicing program may receive remediation through the March 2026 hotpatch update, which provides expedited patch delivery for affected Windows systems.

Patch deployment guidance

•           Deploy the March 2026 Windows security updates addressing the RRAS vulnerabilities

•           Apply applicable Windows hotpatch updates for supported systems

•           Verify patch installation on all systems running the RRAS service

Operational mitigation measures

•           Restrict external exposure of RRAS services where possible

•           Validate that externally accessible gateway systems are necessary for business operations

•           Monitor gateway systems for abnormal activity
 o Unexpected service execution behavior
 o Unusual outbound network communication

S14 Adversary Capability Profiling

Exploitation capability assessment

•           Exploiting RRAS vulnerabilities would likely require moderate technical capability

Adversaries capable of exploit development

•           Nation-state operators

•           Advanced cybercriminal groups

•           Initial-access brokers

Exploit development pathway

•           Vulnerability disclosure

•           Patch diff analysis

•           Identification of vulnerable code paths

•           Development of network-based exploit payloads targeting exposed gateway infrastructure

S15 Threat Actor Operational Objectives

Potential attacker objectives

•           Establish persistent access inside enterprise networks

•           Harvest authentication credentials

o   Credentials from gateway systems

o   Credentials from connected authentication infrastructure

Enable lateral movement within the internal network

•           Access to administrative systems

•           Movement toward sensitive internal resources

Stage follow-on attacks

•           Ransomware deployment

•           Espionage operations

Observed activity status

•           Not observed in currently available reporting

o   May occur during post-exploitation depending on attacker objectives and target environment

S16 Risk Appetite Interpretation

Risk interpretation considerations

•           Gateway systems provide trusted connectivity between external users and internal infrastructure

•           Exploitation could allow attackers to bypass traditional perimeter defenses

Security program implications

•           Mature vulnerability management programs prioritize remediation of externally exposed infrastructure

•           Accelerated patch deployment for gateway systems reduces the likelihood that vulnerabilities remain exposed long enough for exploit development

S17 Confidence and Assessment Statement

Confidence level

•           Moderate

Confidence rationale

•           Vendor documentation clearly describes affected components and remediation guidance

•           Gateway infrastructure exposure presents credible risk scenarios

•           Lack of confirmed exploitation reporting introduces uncertainty regarding adversary activity and exploit maturity

S18 Initial Access Vector Analysis

Initial access exposure

·       The vulnerabilities affect the Windows Routing and Remote Access Service (RRAS).

·       RRAS commonly operates as VPN and remote-access gateway infrastructure.

·       Internet-facing gateway infrastructure significantly increases exploitation exposure.

Initial access pathway

·       An attacker identifies an externally reachable RRAS gateway system.

·       Crafted network traffic is delivered to RRAS packet-processing routines.

·       Unsafe memory-handling behavior is triggered.

·       Remote code execution occurs within the gateway service context.

Attack surface considerations

·       VPN gateway services expose network interfaces to untrusted networks.

·       Gateway systems typically reside at the enterprise network perimeter.

·       Compromise of a gateway host may bypass traditional perimeter defenses.

S19 Attack Path Modeling

Primary attack sequence

·       Attacker discovers exposed RRAS gateway infrastructure.

·       Malformed network packets target vulnerable request-processing routines.

·       The vulnerability triggers unsafe memory conditions.

·       Code execution occurs within the gateway system service context.

Follow-on attack progression

·       Attacker establishes a foothold on the gateway system.

·       Authentication credentials or tokens may be harvested.

·       Lateral movement toward internal enterprise systems may occur.

Environmental factors influencing success

·       Internet exposure of gateway infrastructure.

·       Absence of security updates addressing the vulnerabilities.

·       Limited monitoring of gateway host activity.

S20 MITRE ATT&CK Technique Mapping

Initial access

·       T1190 – Exploit Public-Facing Application

o   Exploitation of externally accessible RRAS gateway services.

Execution

·       T1059 – Command and Scripting Interpreter

o   Execution of command shells or scripts following successful exploitation.

Discovery

·       T1082 – System Information Discovery

o   Enumeration of host information to understand gateway configuration and network context.

Credential access

·       T1003 – OS Credential Dumping

o   Extraction of credentials from compromised gateway systems.

Credential abuse

·       T1078 – Valid Accounts
 o Use of stolen credentials to authenticate to internal resources.

Persistence

·       T1547 – Boot or Logon Autostart Execution
 o Persistence mechanisms configured on compromised gateway systems.

Lateral movement

·       T1021 – Remote Services
 o Movement to internal systems using valid credentials.

Defense evasion

·       T1070 – Indicator Removal on Host
 o Removal of artifacts associated with gateway compromise.

S20A Adversary Tradecraft Summary

Gateway exploitation tradecraft

·       Threat actors frequently target externally exposed gateway infrastructure.

·       Edge infrastructure provides efficient initial access into enterprise environments.

Operational attacker behavior

·       Establish a foothold on a trusted gateway host.

·       Maintain persistence on gateway infrastructure.

·       Harvest authentication credentials accessible from the compromised system.

Follow-on attack strategy

·       Move laterally toward internal administrative systems.

·       Expand access across internal network segments.

·       Deploy additional tooling to maintain long-term access.

Observed reporting status

·       Not observed in currently available reporting.

·       May occur during post-exploitation depending on attacker objectives and target environment.

S21 Post-Exploitation Behavior

Common attacker activity

·       Establish persistence on the compromised gateway host.

·       Conduct reconnaissance of internal network resources.

·       Harvest authentication credentials.

Credential access pathways

·       Credential dumping from system memory.

·       Access to cached authentication tokens.

·       Interaction with domain authentication infrastructure.

Lateral movement activity

·       Use compromised credentials to access internal systems.

·       Execute remote administrative commands on internal hosts.

·       Expand foothold across network segments.

S22 Operational Impact Pathways

Primary operational impacts

·       Unauthorized access to internal enterprise networks.

·       Compromise of authentication infrastructure.

·       Exposure of internal services reachable through gateway connectivity.

Secondary impacts

·       Data access through compromised internal systems.

·       Network disruption caused by malicious activity.

·       Deployment of ransomware or destructive payloads.

Risk amplification factors

·       Gateway systems maintain trusted connectivity to internal networks.

·       Compromise may bypass multiple defensive layers.

S23 Defensive Control Opportunities

Initial access defenses

§  Restrict internet exposure of RRAS services where possible.

§  Apply strict firewall policies controlling gateway access.

System hardening controls

§  Deploy vendor security updates addressing RRAS vulnerabilities.

§  Disable RRAS functionality on systems where the service is not required.

Monitoring controls

§  Monitor gateway hosts for abnormal process execution.

§  Monitor outbound network connections originating from gateway infrastructure.

Security architecture improvements

·       Implement network segmentation protecting critical internal systems.

·       Require strong authentication controls for remote access services.

S24 Operational Detection Signals

Endpoint telemetry signals

§  svchost.exe hosting the RemoteAccess service spawning unexpected child processes
 o cmd.exe
 o powershell.exe
 o rundll32.exe
 o wmic.exe

Administrative utilities executed from RRAS gateway hosts outside scheduled maintenance windows

Network telemetry signals

§  Outbound connections initiated by RRAS gateway hosts to previously unseen external IP addresses

§  RRAS gateway hosts initiating network communication outside established baseline patterns

§  Gateway infrastructure communicating with internal systems not normally accessed by the service

Authentication telemetry signals

§  Authentication attempts originating from gateway hosts using unusual user accounts

§  Valid credential use originating from gateway systems accessing internal administrative services

Detection correlation strategy

§  Correlate endpoint process activity with network telemetry originating from gateway hosts

§  Investigate authentication anomalies involving gateway infrastructure

§  Prioritize alerts originating from externally exposed remote-access systems

S25 Ultra-Tuned Detection Engineering Rules

Suricata

Rule Name
• RRAS Gateway Exploit Pressure Detection
• RRAS Gateway Rare Callback Detection

Purpose
• Detect exploit pressure against externally exposed RRAS gateway systems.
• Detect rare outbound callback behavior from RRAS gateway hosts after likely compromise.

ATT&CK Technique
• T1190 – Exploit Public-Facing Application
• T1071 – Application Layer Protocol

Telemetry Dependency
• Perimeter IDS visibility
• Confirmed RRAS gateway asset list
• Approved scanner allowlist
• Approved RRAS egress allowlist

Tuning Explanation
• Scope only to confirmed RRAS gateways.
• Exclude approved vulnerability scanners, health checks, monitoring systems, management systems, and vendor update destinations.
• The inbound analytic detects exploit pressure, not confirmed exploitation.
• The outbound analytic is tuned for rare callback behavior from RRAS gateways, which should not normally originate arbitrary internet sessions.

Detection Logic
• Detect burst-style inbound activity against RRAS-related ports on RRAS assets.
• Detect rare outbound HTTP, TLS, and DNS activity from RRAS hosts to destinations outside the approved RRAS egress set.

Operational Context
• Deploy on perimeter sensors monitoring internet-facing RRAS gateways.
• Highest-confidence use occurs when correlated with endpoint execution telemetry.

System-Ready Code

# Required variables:

# var RRAS_SERVERS [10.10.20.10,10.10.20.11]

# var APPROVED_SCANNERS [192.0.2.10,198.51.100.25]

# var APPROVED_RRAS_EGRESS [203.0.113.10,203.0.113.11]

# port-group RRAS_TCP_PORTS [1723,443]

# port-group RRAS_UDP_PORTS [500,4500,1701]



alert tcp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_TCP_PORTS (

    msg:"CYBERDAX RRAS exploit pressure on TCP-exposed gateway";

    flow:to_server;

    flags:S;

    detection_filter:track by_dst,count 80,seconds 60;

    classtype:attempted-admin;

    sid:5253001;

    rev:1;

    metadata:deployment Perimeter, attack_target Server, service rrassvc;

)



alert udp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_UDP_PORTS (

    msg:"CYBERDAX RRAS exploit pressure on UDP-exposed gateway";

    detection_filter:track by_dst,count 120,seconds 60;

    classtype:attempted-admin;

    sid:5253002;

    rev:1;

    metadata:deployment Perimeter, attack_target Server, service rrassvc;

)



alert http $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (

    msg:"CYBERDAX RRAS host rare outbound HTTP callback";

    flow:to_server,established;

    threshold:type limit, track by_src, count 1, seconds 900;

    classtype:trojan-activity;

    sid:5253003;

    rev:1;

    metadata:deployment Perimeter, stage callback;

)



alert tls $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (

    msg:"CYBERDAX RRAS host rare outbound TLS callback";

    flow:to_server,established;

    threshold:type limit, track by_src, count 1, seconds 900;

    classtype:trojan-activity;

    sid:5253004;

    rev:1;

    metadata:deployment Perimeter, stage callback;

)



alert dns $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS 53 (

    msg:"CYBERDAX RRAS host rare outbound DNS query";

    flow:to_server;

    threshold:type limit, track by_src, count 2, seconds 900;

    classtype:trojan-activity;

    sid:5253005;

    rev:1;

    metadata:deployment Perimeter, stage callback;

)

SentinelOne

Rule Name
• RRAS Service-Context Execution, Credential Access, Persistence, and Artifact-Clearing Analytic

Purpose
• Detect likely successful RRAS exploitation by identifying suspicious service-context execution, credential-access behavior, remote administration, persistence activity, and artifact-clearing on RRAS hosts.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Deep Visibility process telemetry
• Parent-child lineage
• Command-line visibility
• Network connection telemetry
• RRAS host grouping or tags

Tuning Explanation
• Scope only to RRAS-tagged hosts.
• Require svchost.exe parent and high-risk child binaries or high-risk command-line content.
• Favor suspicious CLI indicators, credential-access strings, remote-admin switches, persistence creation, and log-clearing patterns.
• Suppress approved maintenance windows and documented break-glass administration.

Detection Logic
• Detect suspicious service-context child processes from svchost.exe on RRAS hosts.
• Cover command execution, credential access, remote administration, persistence creation, and artifact-clearing.
• Prioritize when followed by outbound callback or internal authentication anomalies.

Operational Context
• Best for RRAS VPN gateways and remote-access servers.
• Treat as high severity when correlated with network anomalies.

System-Ready Code

SentinelOne Deep Visibility Query



(

  EndpointName contains "RRAS"

  or GroupName contains "RRAS"

  or SiteName contains "RRAS"

  or ComputerName contains "RRAS"

)

and SrcProcName = "svchost.exe"

and TgtProcName in (

  "cmd.exe",

  "powershell.exe",

  "pwsh.exe",

  "wscript.exe",

  "cscript.exe",

  "rundll32.exe",

  "wmic.exe",

  "psexec.exe",

  "regsvr32.exe",

  "mshta.exe",

  "procdump.exe",

  "rubeus.exe",

  "mimikatz.exe",

  "wevtutil.exe",

  "schtasks.exe",

  "sc.exe"

)

and (

  TgtProcCmdLine contains " -enc "

  or TgtProcCmdLine contains "Invoke-Expression"

  or TgtProcCmdLine contains "DownloadString"

  or TgtProcCmdLine contains "FromBase64String"

  or TgtProcCmdLine contains "sekurlsa"

  or TgtProcCmdLine contains "lsass"

  or TgtProcCmdLine contains " /node:"

  or TgtProcCmdLine contains " winrm "

  or TgtProcCmdLine contains "\\\\"

  or TgtProcCmdLine contains " cl "

  or TgtProcCmdLine contains "Clear-EventLog"

  or TgtProcCmdLine contains "/create"

  or TgtProcCmdLine contains "create "

  or TgtProcCmdLine contains " start= auto"

)

Splunk

Rule Name
• RRAS Gateway Multi-Signal Execution, Persistence, Callback, and Account Abuse Correlation

Purpose
• Detect suspicious service-context execution on RRAS hosts and correlate it with persistence, network callback, and internal authentication behavior.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Sysmon Event ID 1 or Windows Security Event 4688
• RRAS asset lookup
• Network telemetry data model
• Windows authentication logs

Tuning Explanation
• Restrict to RRAS assets from a maintained lookup.
• Require svchost.exe parent plus suspicious child process and suspicious CLI.
• Increase confidence when the same host also shows outbound callback, persistence-related execution, or internal authentication activity.
• Suppress hosts or periods listed in approved maintenance lookups.

Detection Logic
• Detect suspicious process creation on RRAS hosts.
• Enrich with outbound network activity and internal logon or explicit-credential events from the same host.

Operational Context
• Best for SOC environments with endpoint, network, and authentication visibility.
• Designed for high-fidelity correlation, not broad hunting.

System-Ready Code

| tstats summariesonly=f allow_old_summaries=f earliest(_time) as firstTime latest(_time) as lastTime

  from datamodel=Endpoint.Processes

  where Processes.parent_process_name=svchost.exe

    Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe")

  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_guid

| rename Processes.* as *

| lookup rras_assets.csv dest OUTPUT dest as matched_dest

| where isnotnull(matched_dest)

| eval suspicious_cli=if(match(process,"(?i)( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto)"),1,0)

| where suspicious_cli=1

| join type=left process_guid [

    | tstats summariesonly=f count as netCount values(All_Traffic.dest_ip) as dest_ips

      from datamodel=Network_Traffic.All_Traffic

      by All_Traffic.process_guid

    | rename All_Traffic.process_guid as process_guid

]

| join type=left dest [

    search index=windows (EventCode=4624 OR EventCode=4648)

    | stats count as authCount values(TargetUserName) as target_users by host

    | rename host as dest

]

| eval risk_score=60 + if(netCount>0,20,0) + if(authCount>0,20,0)

| where risk_score>=80

| table firstTime lastTime dest user parent_process_name process_name process netCount dest_ips authCount target_users risk_score

Elastic

Rule Name
• RRAS Gateway Service Execution, Persistence, and Callback Correlation

Purpose
• Detect suspicious service-context execution on RRAS hosts and correlate it with outbound network activity or persistence-related behavior.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Elastic Defend process telemetry
• Network telemetry
• RRAS host role tags

Tuning Explanation
• Restrict to RRAS-tagged hosts.
• Require suspicious child execution from svchost.exe plus high-risk command-line content.
• Correlate with outbound network activity to reduce false positives.
• Maintain allowlists for approved egress destinations.

Detection Logic
• Detect suspicious service-child execution from RRAS hosts.
• Correlate with outbound callback or persistence-related execution within five minutes.

Operational Context
• Best for Elastic deployments monitoring Windows gateway assets.

System-Ready Code

sequence by host.id with maxspan=5m

  [process where host.roles : "rras_server" and

            process.parent.name == "svchost.exe" and

            process.name in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe") and

            process.command_line regex~ "(?i).*( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto).*"

  ]

  [network where host.roles : "rras_server" and

            destination.ip != null and

            not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")

  ]

QRadar

Rule Name
• RRAS Gateway Multi-Signal Compromise Correlation

Purpose
• Detect likely RRAS compromise through exploit pressure, suspicious service execution, callback behavior, gateway-originated authentication anomalies, and persistence-related execution.

ATT&CK Technique
• T1190 – Exploit Public-Facing Application
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• QRadar CRE
• Windows process creation events
• Firewall, IDS, and flow telemetry
• Authentication events
• Reference sets for RRAS assets and approved sources

Tuning Explanation
• Scope all logic to RRAS assets only.
• Exclude approved scanners, approved admin sources, known maintenance activity, and approved destinations.
• Require multi-signal chaining before offense generation.
• Treat external callback and gateway-originated internal authentication as confidence multipliers rather than standalone high-severity events.

Detection Logic
• Stage 1 detects inbound exploit pressure to RRAS hosts.
• Stage 2 detects suspicious service-child execution on the same RRAS host.
• Stage 3 correlates with either rare external callback, unusual internal authentication, or persistence-related process execution.

Operational Context
• Best for centralized SOC environments using QRadar offense workflows.
• Intended for production deployment on internet-facing RRAS gateway infrastructure.

System-Ready Code

Reference Set: CYBERDAX_RRAS_ASSETS

Reference Set: CYBERDAX_APPROVED_SCANNERS

Reference Set: CYBERDAX_APPROVED_RRAS_EGRESS

Reference Set: CYBERDAX_APPROVED_ADMIN_SOURCES



Building Block: CYBERDAX_RRAS_Inbound_Pressure

when destination IP is in CYBERDAX_RRAS_ASSETS

and source IP is not in CYBERDAX_APPROVED_SCANNERS

and flow direction is inbound

and destination port is one of 1723, 443, 500, 4500, 1701

and at least 80 events or 120 flows are seen with the same destination IP in 60 seconds



Building Block: CYBERDAX_RRAS_Svchost_Suspicious_Child

when destination IP is in CYBERDAX_RRAS_ASSETS

and event indicates process creation

and Parent Process is "svchost.exe"

and Process Name is one of:

  cmd.exe

  powershell.exe

  pwsh.exe

  wscript.exe

  cscript.exe

  rundll32.exe

  wmic.exe

  psexec.exe

  regsvr32.exe

  mshta.exe

  procdump.exe

  rubeus.exe

  mimikatz.exe

  wevtutil.exe

  schtasks.exe

  sc.exe



Building Block: CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing

when destination IP is in CYBERDAX_RRAS_ASSETS

and event indicates process creation

and Process Name is one of:

  schtasks.exe

  sc.exe

  wevtutil.exe

and CommandLine contains any of:

  "/create"

  "create "

  "start= auto"

  " cl "

  "Clear-EventLog"



Building Block: CYBERDAX_RRAS_New_External_Egress

when source IP is in CYBERDAX_RRAS_ASSETS

and destination IP is not private

and destination is not in CYBERDAX_APPROVED_RRAS_EGRESS

and flow direction is outbound



Building Block: CYBERDAX_RRAS_Internal_Auth_Anomaly

when source IP is in CYBERDAX_RRAS_ASSETS

and source IP is not in CYBERDAX_APPROVED_ADMIN_SOURCES

and event name is one of:

  "Successful Logon"

  "Explicit Credential Logon"

  "Kerberos Service Ticket Requested"

and destination IP is not equal to source IP



Rule: CYBERDAX RRAS Multi-Signal Compromise

when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP

followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP

within 10 minutes

then create offense

  Severity: 8

  Relevance: 8

  Credibility: 7



Rule: CYBERDAX RRAS Compromise with Callback, Auth Abuse, or Persistence

when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP

followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP

followed by (

  BB:CYBERDAX_RRAS_New_External_Egress matches on same Source IP

  or BB:CYBERDAX_RRAS_Internal_Auth_Anomaly matches on same Source IP

  or BB:CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing matches on same Local Destination IP

)

within 10 minutes

then create offense

  Severity: 9

  Relevance: 9

  Credibility: 8

Sigma

Rule Name
• RRAS Gateway Suspicious Execution, Persistence, and Credential Access Indicators

Purpose
• Provide portable detection content for suspicious service-context execution, credential-access indicators, persistence creation, and artifact-clearing behavior on RRAS hosts.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Windows process creation logs
• RRAS host enrichment in the backend
• Command-line logging
• Optional backend correlation with network telemetry

Tuning Explanation
• Scope to RRAS-tagged hosts in the SIEM backend.
• Require svchost.exe parent plus high-risk child processes and high-risk command-line indicators.
• Suppress approved maintenance windows and approved administrative activity.
• This rule is intentionally restrictive to reduce noise on service hosts.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS hosts.
• Cover command execution, credential-access strings, persistence creation, remote administration, and event-log clearing indicators.

Operational Context
• Best used as portable content across SIEM backends after RRAS host scoping is applied.
• High-confidence use when paired with gateway network anomaly detections.

System-Ready Code

title: CyberDax RRAS Gateway Suspicious Execution

id: 1b2aeb7d-4f5a-47f4-a28d-rras-s25-007

status: stable

description: Detects suspicious child process execution from svchost.exe on RRAS gateway hosts, consistent with post-exploitation, credential access, persistence, artifact-clearing, or remote administration activity.

logsource:

  product: windows

  category: process_creation

detection:

  selection_parent:

    ParentImage|endswith: '\svchost.exe'

  selection_child:

    Image|endswith:

      - '\cmd.exe'

      - '\powershell.exe'

      - '\pwsh.exe'

      - '\wscript.exe'

      - '\cscript.exe'

      - '\rundll32.exe'

      - '\wmic.exe'

      - '\psexec.exe'

      - '\regsvr32.exe'

      - '\mshta.exe'

      - '\procdump.exe'

      - '\rubeus.exe'

      - '\mimikatz.exe'

      - '\wevtutil.exe'

      - '\schtasks.exe'

      - '\sc.exe'

  selection_cmd:

    CommandLine|contains:

      - ' -enc '

      - 'Invoke-Expression'

      - 'DownloadString'

      - 'FromBase64String'

      - 'sekurlsa'

      - 'lsass'

      - '\\'

      - ' /node:'

      - ' winrm '

      - ' cl '

      - 'Clear-EventLog'

      - '/create'

      - 'create '

      - 'start= auto'

  condition: selection_parent and selection_child and selection_cmd

falsepositives:

  - Approved administration on RRAS gateway systems

  - Emergency remediation activity

  - Documented maintenance windows

level: high

tags:

  - attack.t1059

  - attack.t1003

  - attack.t1078

  - attack.t1547

  - attack.t1070

YARA

Rule Name
• RRAS Gateway Post-Exploitation, Credential Access, Persistence, and Artifact-Clearing Heuristic

Purpose
• Support DFIR and file triage on RRAS hosts by identifying suspicious loader, credential-access, persistence, and log-clearing content.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• File scanning on RRAS systems
• EDR file telemetry
• DFIR collections
• Optional scheduled triage scans of RRAS hosts

Tuning Explanation
• Intended for RRAS host triage rather than direct exploit detection.
• Use on suspected or confirmed RRAS systems or during proactive file sweeps of gateway infrastructure.
• Rule requires multiple indicators to reduce false positives from benign administrative scripts.

Detection Logic
• Identify files containing multiple indicators tied to loader execution, credential dumping, persistence creation, or event-log clearing.

Operational Context
• Best for incident response, hunt, and file triage workflows on RRAS systems.
• Not intended as a perimeter detection.

System-Ready Code

rule CYBERDAX_RRAS_Gateway_PostExploit_Persistence_ArtifactClearing_Heuristic

{

    meta:

        description = "Heuristic for suspicious post-exploitation content on RRAS gateway hosts"

        author = "CyberDax"

        scope = "RRAS gateway DFIR and file triage"

        version = "1.0"



    strings:

        $s1 = "FromBase64String" nocase

        $s2 = "DownloadString" nocase

        $s3 = "Invoke-Expression" nocase

        $s4 = "MiniDumpWriteDump" nocase

        $s5 = "sekurlsa" nocase

        $s6 = "wevtutil cl" nocase

        $s7 = "Clear-EventLog" nocase

        $s8 = "schtasks /create" nocase

        $s9 = "sc create" nocase

        $s10 = "Rubeus" nocase

        $s11 = "mimikatz" nocase



    condition:

        3 of ($s*)

}

AWS

Rule Name
• RRAS EC2 Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose
• Detect probable RRAS compromise on Windows EC2 RRAS hosts by correlating suspicious service-context execution with outbound callback, anomalous internal access, and persistence-related execution.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Windows process telemetry from EC2 instances
• CloudWatch Logs or Security Lake records
• VPC Flow Logs
• RRAS asset tagging
• Approved destination allowlist

Tuning Explanation
• Scope only to EC2 instances tagged Role=RRAS.
• Maintain allowlists for approved management, monitoring, backup, patching, and update destinations.
• Raise highest severity when suspicious execution is followed by either rare external callback or unusual east-west access on administrative ports.
• Use maintenance-window suppression where available.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS-tagged Windows EC2 instances.
• Correlate with either external callback or internal remote-service traffic within five minutes.
• Include persistence or artifact-clearing execution when present.

Operational Context
• Best for AWS-hosted RRAS gateway systems.
• Intended for production deployment with RRAS asset tagging and allowlists in place.

System-Ready Code

WITH suspicious_proc AS (

  SELECT

    host_id,

    event_time,

    process_name,

    command_line

  FROM windows_process_events

  WHERE role = 'RRAS'

    AND lower(parent_name) = 'svchost.exe'

    AND lower(process_name) IN (

      'cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',

      'rundll32.exe','wmic.exe','psexec.exe','regsvr32.exe','mshta.exe',

      'wevtutil.exe','schtasks.exe','sc.exe'

    )

    AND regexp_like(lower(command_line),

      '( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)'

    )

),

network_followon AS (

  SELECT

    instance_id,

    from_unixtime(start_time) AS flow_time,

    dstaddr,

    dstport

  FROM vpc_flow_logs

  WHERE action = 'ACCEPT'

),

interesting_followon AS (

  SELECT

    instance_id,

    flow_time,

    dstaddr,

    dstport

  FROM network_followon

  WHERE

    NOT (

      dstaddr LIKE '10.%'

      OR dstaddr LIKE '192.168.%'

      OR regexp_like(dstaddr, '^172\\.(1[6-9]|2[0-9]|3[0-1])\\.')

      OR dstaddr LIKE '127.%'

    )

    OR dstport IN (135,139,445,3389,5985,5986)

)

SELECT

  p.host_id,

  p.event_time,

  p.process_name,

  p.command_line,

  f.dstaddr,

  f.dstport,

  f.flow_time

FROM suspicious_proc p

JOIN interesting_followon f

  ON p.host_id = f.instance_id

 AND f.flow_time BETWEEN p.event_time AND p.event_time + INTERVAL '5' MINUTE;

Azure

Rule Name
• RRAS Azure VM Suspicious Execution, Persistence, Callback, and Gateway-Originated Access Correlation

Purpose
• Detect probable RRAS compromise on Azure-hosted RRAS systems using process, network, persistence, and authentication context.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Defender XDR process telemetry
• DeviceNetworkEvents
• DeviceLogonEvents or equivalent authentication telemetry
• RRAS watchlist
• Approved destination and admin-source lists

Tuning Explanation
• Restrict to known RRAS Azure VMs.
• Require suspicious service-child execution.
• Correlate with outbound traffic, persistence-related execution, or authentication activity from the same host.
• Suppress approved maintenance windows and approved admin origins.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS hosts.
• Correlate with outbound network activity or internal authentication within five minutes.
• Include persistence or log-clearing execution where present.

Operational Context
• Best for Defender and Sentinel environments monitoring Azure-hosted RRAS systems.
• Intended for production deployment with RRAS watchlists maintained.

System-Ready Code

let rras_hosts = _GetWatchlist('rras_hosts') | project SearchKey;

let suspicious_proc =

DeviceProcessEvents

| where DeviceName in (rras_hosts)

| where InitiatingProcessFileName =~ "svchost.exe"

| where FileName in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","wevtutil.exe","schtasks.exe","sc.exe")

| where ProcessCommandLine has_any (" -enc ","Invoke-Expression","DownloadString","FromBase64String","\\"," /node:"," winrm "," cl ","Clear-EventLog","/create","create ","start= auto")

| project DeviceName, ProcTime=Timestamp, FileName, ProcessCommandLine;

let external_egress =

DeviceNetworkEvents

| where DeviceName in (rras_hosts)

| where ipv4_is_private(RemoteIP) == false

| project DeviceName, NetTime=Timestamp, RemoteIP, RemoteUrl;

let internal_auth =

DeviceLogonEvents

| where DeviceName in (rras_hosts)

| where LogonType in ("Network","RemoteInteractive")

| project DeviceName, AuthTime=Timestamp, AccountName;

suspicious_proc

| join kind=leftouter external_egress on DeviceName

| join kind=leftouter internal_auth on DeviceName

| where NetTime between (ProcTime .. ProcTime + 5m)

   or AuthTime between (ProcTime .. ProcTime + 5m)

| project ProcTime, DeviceName, FileName, ProcessCommandLine, NetTime, RemoteIP, RemoteUrl, AuthTime, AccountName

GCP

Rule Name
• RRAS GCE Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose
• Detect probable RRAS compromise on Windows Compute Engine RRAS systems through suspicious execution, persistence-related behavior, outbound callback, and gateway-originated internal access.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Google SecOps normalized UDM process events
• Network connection telemetry
• RRAS asset labels
• Approved destination allowlists

Tuning Explanation
• Restrict to assets labeled Role=RRAS.
• Require suspicious service-child execution and either outbound or east-west network follow-on.
• Use approved-destination allowlists to reduce noise.
• Flag persistence or artifact-clearing execution where observed.

Detection Logic
• Detect suspicious svchost.exe child execution on RRAS-tagged GCE Windows hosts.
• Correlate with outbound network activity or internal remote-service traffic within five minutes.

Operational Context
• Best for Google SecOps or Chronicle environments monitoring Windows gateway infrastructure.
• Intended for production use with RRAS labels maintained.

System-Ready Code

rule CYBERDAX_RRAS_GCE_Gateway_Suspicious_Execution_Callback_And_Internal_Access

{

  meta:

    author = "CyberDax"

    description = "Detects suspicious svchost child execution on RRAS-tagged GCE Windows hosts followed by outbound or internal remote-service network activity"

    severity = "HIGH"



  events:

    $proc.metadata.event_type = "PROCESS_LAUNCH"

    $proc.principal.asset.labels["Role"] = "RRAS"

    $proc.target.process.parent_process.file.full_path regex `(?i)\\svchost\.exe$`

    $proc.target.process.file.full_path regex `(?i)\\(cmd|powershell|pwsh|wscript|cscript|rundll32|wmic|psexec|regsvr32|mshta|wevtutil|schtasks|sc)\.exe$`

    $proc.target.process.command_line regex `(?i)( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)`



    $net.metadata.event_type = "NETWORK_CONNECTION"

    $net.principal.asset.labels["Role"] = "RRAS"

    (

      (

        not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")

        and not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")

        and not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")

        and not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")

      )

      or

      ($net.target.port in (135,139,445,3389,5985,5986))

    )



  match:

    $proc.principal.asset.hostname over 5m



  condition:

    $proc and $net

}

S25 Ultra-Tuned Detection Engineering Rules

Suricata

Rule Name
• RRAS Gateway Exploit Pressure Detection
• RRAS Gateway Rare Callback Detection

Purpose
• Detect exploit pressure against externally exposed RRAS gateway systems.
• Detect rare outbound callback behavior from RRAS gateway hosts after likely compromise.

ATT&CK Technique
• T1190 – Exploit Public-Facing Application
• T1071 – Application Layer Protocol

Telemetry Dependency
• Perimeter IDS visibility
• Confirmed RRAS gateway asset list
• Approved scanner allowlist
• Approved RRAS egress allowlist

Tuning Explanation
• Scope only to confirmed RRAS gateways.
• Exclude approved vulnerability scanners, health checks, monitoring systems, management systems, and vendor update destinations.
• The inbound analytic detects exploit pressure, not confirmed exploitation.
• The outbound analytic is tuned for rare callback behavior from RRAS gateways, which should not normally originate arbitrary internet sessions.

Detection Logic
• Detect burst-style inbound activity against RRAS-related ports on RRAS assets.
• Detect rare outbound HTTP, TLS, and DNS activity from RRAS hosts to destinations outside the approved RRAS egress set.

Operational Context
• Deploy on perimeter sensors monitoring internet-facing RRAS gateways.
• Highest-confidence use occurs when correlated with endpoint execution telemetry.

System-Ready Code

# Required variables:
# var RRAS_SERVERS [10.10.20.10,10.10.20.11]
# var APPROVED_SCANNERS [192.0.2.10,198.51.100.25]
# var APPROVED_RRAS_EGRESS [203.0.113.10,203.0.113.11]
# port-group RRAS_TCP_PORTS [1723,443]
# port-group RRAS_UDP_PORTS [500,4500,1701]

alert tcp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_TCP_PORTS (
    msg:"CYBERDAX RRAS exploit pressure on TCP-exposed gateway";
    flow:to_server;
    flags:S;
    detection_filter:track by_dst,count 80,seconds 60;
    classtype:attempted-admin;
    sid:5253001;
    rev:1;
    metadata:deployment Perimeter, attack_target Server, service rrassvc;
)

alert udp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_UDP_PORTS (
    msg:"CYBERDAX RRAS exploit pressure on UDP-exposed gateway";
    detection_filter:track by_dst,count 120,seconds 60;
    classtype:attempted-admin;
    sid:5253002;
    rev:1;
    metadata:deployment Perimeter, attack_target Server, service rrassvc;
)

alert http $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (
    msg:"CYBERDAX RRAS host rare outbound HTTP callback";
    flow:to_server,established;
    threshold:type limit, track by_src, count 1, seconds 900;
    classtype:trojan-activity;
    sid:5253003;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

alert tls $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (
    msg:"CYBERDAX RRAS host rare outbound TLS callback";
    flow:to_server,established;
    threshold:type limit, track by_src, count 1, seconds 900;
    classtype:trojan-activity;
    sid:5253004;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

alert dns $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS 53 (
    msg:"CYBERDAX RRAS host rare outbound DNS query";
    flow:to_server;
    threshold:type limit, track by_src, count 2, seconds 900;
    classtype:trojan-activity;
    sid:5253005;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

SentinelOne

Rule Name
• RRAS Service-Context Execution, Credential Access, Persistence, and Artifact-Clearing Analytic

Purpose
• Detect likely successful RRAS exploitation by identifying suspicious service-context execution, credential-access behavior, remote administration, persistence activity, and artifact-clearing on RRAS hosts.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Deep Visibility process telemetry
• Parent-child lineage
• Command-line visibility
• Network connection telemetry
• RRAS host grouping or tags

Tuning Explanation
• Scope only to RRAS-tagged hosts.
• Require svchost.exe parent and high-risk child binaries or high-risk command-line content.
• Favor suspicious CLI indicators, credential-access strings, remote-admin switches, persistence creation, and log-clearing patterns.
• Suppress approved maintenance windows and documented break-glass administration.

Detection Logic
• Detect suspicious service-context child processes from svchost.exe on RRAS hosts.
• Cover command execution, credential access, remote administration, persistence creation, and artifact-clearing.
• Prioritize when followed by outbound callback or internal authentication anomalies.

Operational Context
• Best for RRAS VPN gateways and remote-access servers.
• Treat as high severity when correlated with network anomalies.

System-Ready Code

SentinelOne Deep Visibility Query

(
  EndpointName contains "RRAS"
  or GroupName contains "RRAS"
  or SiteName contains "RRAS"
  or ComputerName contains "RRAS"
)
and SrcProcName = "svchost.exe"
and TgtProcName in (
  "cmd.exe",
  "powershell.exe",
  "pwsh.exe",
  "wscript.exe",
  "cscript.exe",
  "rundll32.exe",
  "wmic.exe",
  "psexec.exe",
  "regsvr32.exe",
  "mshta.exe",
  "procdump.exe",
  "rubeus.exe",
  "mimikatz.exe",
  "wevtutil.exe",
  "schtasks.exe",
  "sc.exe"
)
and (
  TgtProcCmdLine contains " -enc "
  or TgtProcCmdLine contains "Invoke-Expression"
  or TgtProcCmdLine contains "DownloadString"
  or TgtProcCmdLine contains "FromBase64String"
  or TgtProcCmdLine contains "sekurlsa"
  or TgtProcCmdLine contains "lsass"
  or TgtProcCmdLine contains " /node:"
  or TgtProcCmdLine contains " winrm "
  or TgtProcCmdLine contains "\\\\"
  or TgtProcCmdLine contains " cl "
  or TgtProcCmdLine contains "Clear-EventLog"
  or TgtProcCmdLine contains "/create"
  or TgtProcCmdLine contains "create "
  or TgtProcCmdLine contains " start= auto"
)

Splunk

Rule Name
• RRAS Gateway Multi-Signal Execution, Persistence, Callback, and Account Abuse Correlation

Purpose
• Detect suspicious service-context execution on RRAS hosts and correlate it with persistence, network callback, and internal authentication behavior.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Sysmon Event ID 1 or Windows Security Event 4688
• RRAS asset lookup
• Network telemetry data model
• Windows authentication logs

Tuning Explanation
• Restrict to RRAS assets from a maintained lookup.
• Require svchost.exe parent plus suspicious child process and suspicious CLI.
• Increase confidence when the same host also shows outbound callback, persistence-related execution, or internal authentication activity.
• Suppress hosts or periods listed in approved maintenance lookups.

Detection Logic
• Detect suspicious process creation on RRAS hosts.
• Enrich with outbound network activity and internal logon or explicit-credential events from the same host.

Operational Context
• Best for SOC environments with endpoint, network, and authentication visibility.
• Designed for high-fidelity correlation, not broad hunting.

System-Ready Code

| tstats summariesonly=f allow_old_summaries=f earliest(_time) as firstTime latest(_time) as lastTime
  from datamodel=Endpoint.Processes
  where Processes.parent_process_name=svchost.exe
    Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe")
  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_guid
| rename Processes.* as *
| lookup rras_assets.csv dest OUTPUT dest as matched_dest
| where isnotnull(matched_dest)
| eval suspicious_cli=if(match(process,"(?i)( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto)"),1,0)
| where suspicious_cli=1
| join type=left process_guid [
    | tstats summariesonly=f count as netCount values(All_Traffic.dest_ip) as dest_ips
      from datamodel=Network_Traffic.All_Traffic
      by All_Traffic.process_guid
    | rename All_Traffic.process_guid as process_guid
]
| join type=left dest [
    search index=windows (EventCode=4624 OR EventCode=4648)
    | stats count as authCount values(TargetUserName) as target_users by host
    | rename host as dest
]
| eval risk_score=60 + if(netCount>0,20,0) + if(authCount>0,20,0)
| where risk_score>=80
| table firstTime lastTime dest user parent_process_name process_name process netCount dest_ips authCount target_users risk_score

Elastic

Rule Name
• RRAS Gateway Service Execution, Persistence, and Callback Correlation

Purpose
• Detect suspicious service-context execution on RRAS hosts and correlate it with outbound network activity or persistence-related behavior.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Elastic Defend process telemetry
• Network telemetry
• RRAS host role tags

Tuning Explanation
• Restrict to RRAS-tagged hosts.
• Require suspicious child execution from svchost.exe plus high-risk command-line content.
• Correlate with outbound network activity to reduce false positives.
• Maintain allowlists for approved egress destinations.

Detection Logic
• Detect suspicious service-child execution from RRAS hosts.
• Correlate with outbound callback or persistence-related execution within five minutes.

Operational Context
• Best for Elastic deployments monitoring Windows gateway assets.

System-Ready Code

sequence by host.id with maxspan=5m
  [process where host.roles : "rras_server" and
            process.parent.name == "svchost.exe" and
            process.name in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe") and
            process.command_line regex~ "(?i).*( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto).*"
  ]
  [network where host.roles : "rras_server" and
            destination.ip != null and
            not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
  ]

QRadar

Rule Name
• RRAS Gateway Multi-Signal Compromise Correlation

Purpose
• Detect likely RRAS compromise through exploit pressure, suspicious service execution, callback behavior, gateway-originated authentication anomalies, and persistence-related execution.

ATT&CK Technique
• T1190 – Exploit Public-Facing Application
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• QRadar CRE
• Windows process creation events
• Firewall, IDS, and flow telemetry
• Authentication events
• Reference sets for RRAS assets and approved sources

Tuning Explanation
• Scope all logic to RRAS assets only.
• Exclude approved scanners, approved admin sources, known maintenance activity, and approved destinations.
• Require multi-signal chaining before offense generation.
• Treat external callback and gateway-originated internal authentication as confidence multipliers rather than standalone high-severity events.

Detection Logic
• Stage 1 detects inbound exploit pressure to RRAS hosts.
• Stage 2 detects suspicious service-child execution on the same RRAS host.
• Stage 3 correlates with either rare external callback, unusual internal authentication, or persistence-related process execution.

Operational Context
• Best for centralized SOC environments using QRadar offense workflows.
• Intended for production deployment on internet-facing RRAS gateway infrastructure.

System-Ready Code

Reference Set: CYBERDAX_RRAS_ASSETS
Reference Set: CYBERDAX_APPROVED_SCANNERS
Reference Set: CYBERDAX_APPROVED_RRAS_EGRESS
Reference Set: CYBERDAX_APPROVED_ADMIN_SOURCES

Building Block: CYBERDAX_RRAS_Inbound_Pressure
when destination IP is in CYBERDAX_RRAS_ASSETS
and source IP is not in CYBERDAX_APPROVED_SCANNERS
and flow direction is inbound
and destination port is one of 1723, 443, 500, 4500, 1701
and at least 80 events or 120 flows are seen with the same destination IP in 60 seconds

Building Block: CYBERDAX_RRAS_Svchost_Suspicious_Child
when destination IP is in CYBERDAX_RRAS_ASSETS
and event indicates process creation
and Parent Process is "svchost.exe"
and Process Name is one of:
  cmd.exe
  powershell.exe
  pwsh.exe
  wscript.exe
  cscript.exe
  rundll32.exe
  wmic.exe
  psexec.exe
  regsvr32.exe
  mshta.exe
  procdump.exe
  rubeus.exe
  mimikatz.exe
  wevtutil.exe
  schtasks.exe
  sc.exe

Building Block: CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing
when destination IP is in CYBERDAX_RRAS_ASSETS
and event indicates process creation
and Process Name is one of:
  schtasks.exe
  sc.exe
  wevtutil.exe
and CommandLine contains any of:
  "/create"
  "create "
  "start= auto"
  " cl "
  "Clear-EventLog"

Building Block: CYBERDAX_RRAS_New_External_Egress
when source IP is in CYBERDAX_RRAS_ASSETS
and destination IP is not private
and destination is not in CYBERDAX_APPROVED_RRAS_EGRESS
and flow direction is outbound

Building Block: CYBERDAX_RRAS_Internal_Auth_Anomaly
when source IP is in CYBERDAX_RRAS_ASSETS
and source IP is not in CYBERDAX_APPROVED_ADMIN_SOURCES
and event name is one of:
  "Successful Logon"
  "Explicit Credential Logon"
  "Kerberos Service Ticket Requested"
and destination IP is not equal to source IP

Rule: CYBERDAX RRAS Multi-Signal Compromise
when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP
followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP
within 10 minutes
then create offense
  Severity: 8
  Relevance: 8
  Credibility: 7

Rule: CYBERDAX RRAS Compromise with Callback, Auth Abuse, or Persistence
when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP
followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP
followed by (
  BB:CYBERDAX_RRAS_New_External_Egress matches on same Source IP
  or BB:CYBERDAX_RRAS_Internal_Auth_Anomaly matches on same Source IP
  or BB:CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing matches on same Local Destination IP
)
within 10 minutes
then create offense
  Severity: 9
  Relevance: 9
  Credibility: 8

Sigma

Rule Name
• RRAS Gateway Suspicious Execution, Persistence, and Credential Access Indicators

Purpose
• Provide portable detection content for suspicious service-context execution, credential-access indicators, persistence creation, and artifact-clearing behavior on RRAS hosts.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Windows process creation logs
• RRAS host enrichment in the backend
• Command-line logging
• Optional backend correlation with network telemetry

Tuning Explanation
• Scope to RRAS-tagged hosts in the SIEM backend.
• Require svchost.exe parent plus high-risk child processes and high-risk command-line indicators.
• Suppress approved maintenance windows and approved administrative activity.
• This rule is intentionally restrictive to reduce noise on service hosts.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS hosts.
• Cover command execution, credential-access strings, persistence creation, remote administration, and event-log clearing indicators.

Operational Context
• Best used as portable content across SIEM backends after RRAS host scoping is applied.
• High-confidence use when paired with gateway network anomaly detections.

System-Ready Code

title: CyberDax RRAS Gateway Suspicious Execution
id: 1b2aeb7d-4f5a-47f4-a28d-rras-s25-007
status: stable
description: Detects suspicious child process execution from svchost.exe on RRAS gateway hosts, consistent with post-exploitation, credential access, persistence, artifact-clearing, or remote administration activity.
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith: '\svchost.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\rundll32.exe'
      - '\wmic.exe'
      - '\psexec.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
      - '\procdump.exe'
      - '\rubeus.exe'
      - '\mimikatz.exe'
      - '\wevtutil.exe'
      - '\schtasks.exe'
      - '\sc.exe'
  selection_cmd:
    CommandLine|contains:
      - ' -enc '
      - 'Invoke-Expression'
      - 'DownloadString'
      - 'FromBase64String'
      - 'sekurlsa'
      - 'lsass'
      - '\\'
      - ' /node:'
      - ' winrm '
      - ' cl '
      - 'Clear-EventLog'
      - '/create'
      - 'create '
      - 'start= auto'
  condition: selection_parent and selection_child and selection_cmd
falsepositives:
  - Approved administration on RRAS gateway systems
  - Emergency remediation activity
  - Documented maintenance windows
level: high
tags:
  - attack.t1059
  - attack.t1003
  - attack.t1078
  - attack.t1547
  - attack.t1070

YARA

Rule Name
• RRAS Gateway Post-Exploitation, Credential Access, Persistence, and Artifact-Clearing Heuristic

Purpose
• Support DFIR and file triage on RRAS hosts by identifying suspicious loader, credential-access, persistence, and log-clearing content.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• File scanning on RRAS systems
• EDR file telemetry
• DFIR collections
• Optional scheduled triage scans of RRAS hosts

Tuning Explanation
• Intended for RRAS host triage rather than direct exploit detection.
• Use on suspected or confirmed RRAS systems or during proactive file sweeps of gateway infrastructure.
• Rule requires multiple indicators to reduce false positives from benign administrative scripts.

Detection Logic
• Identify files containing multiple indicators tied to loader execution, credential dumping, persistence creation, or event-log clearing.

Operational Context
• Best for incident response, hunt, and file triage workflows on RRAS systems.
• Not intended as a perimeter detection.

System-Ready Code

rule CYBERDAX_RRAS_Gateway_PostExploit_Persistence_ArtifactClearing_Heuristic
{
    meta:
        description = "Heuristic for suspicious post-exploitation content on RRAS gateway hosts"
        author = "CyberDax"
        scope = "RRAS gateway DFIR and file triage"
        version = "1.0"

    strings:
        $s1 = "FromBase64String" nocase
        $s2 = "DownloadString" nocase
        $s3 = "Invoke-Expression" nocase
        $s4 = "MiniDumpWriteDump" nocase
        $s5 = "sekurlsa" nocase
        $s6 = "wevtutil cl" nocase
        $s7 = "Clear-EventLog" nocase
        $s8 = "schtasks /create" nocase
        $s9 = "sc create" nocase
        $s10 = "Rubeus" nocase
        $s11 = "mimikatz" nocase

    condition:
        3 of ($s*)
}

AWS

Rule Name
• RRAS EC2 Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose
• Detect probable RRAS compromise on Windows EC2 RRAS hosts by correlating suspicious service-context execution with outbound callback, anomalous internal access, and persistence-related execution.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Windows process telemetry from EC2 instances
• CloudWatch Logs or Security Lake records
• VPC Flow Logs
• RRAS asset tagging
• Approved destination allowlist

Tuning Explanation
• Scope only to EC2 instances tagged Role=RRAS.
• Maintain allowlists for approved management, monitoring, backup, patching, and update destinations.
• Raise highest severity when suspicious execution is followed by either rare external callback or unusual east-west access on administrative ports.
• Use maintenance-window suppression where available.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS-tagged Windows EC2 instances.
• Correlate with either external callback or internal remote-service traffic within five minutes.
• Include persistence or artifact-clearing execution when present.

Operational Context
• Best for AWS-hosted RRAS gateway systems.
• Intended for production deployment with RRAS asset tagging and allowlists in place.

System-Ready Code

WITH suspicious_proc AS (
  SELECT
    host_id,
    event_time,
    process_name,
    command_line
  FROM windows_process_events
  WHERE role = 'RRAS'
    AND lower(parent_name) = 'svchost.exe'
    AND lower(process_name) IN (
      'cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
      'rundll32.exe','wmic.exe','psexec.exe','regsvr32.exe','mshta.exe',
      'wevtutil.exe','schtasks.exe','sc.exe'
    )
    AND regexp_like(lower(command_line),
      '( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)'
    )
),
network_followon AS (
  SELECT
    instance_id,
    from_unixtime(start_time) AS flow_time,
    dstaddr,
    dstport
  FROM vpc_flow_logs
  WHERE action = 'ACCEPT'
),
interesting_followon AS (
  SELECT
    instance_id,
    flow_time,
    dstaddr,
    dstport
  FROM network_followon
  WHERE
    NOT (
      dstaddr LIKE '10.%'
      OR dstaddr LIKE '192.168.%'
      OR regexp_like(dstaddr, '^172\\.(1[6-9]|2[0-9]|3[0-1])\\.')
      OR dstaddr LIKE '127.%'
    )
    OR dstport IN (135,139,445,3389,5985,5986)
)
SELECT
  p.host_id,
  p.event_time,
  p.process_name,
  p.command_line,
  f.dstaddr,
  f.dstport,
  f.flow_time
FROM suspicious_proc p
JOIN interesting_followon f
  ON p.host_id = f.instance_id
 AND f.flow_time BETWEEN p.event_time AND p.event_time + INTERVAL '5' MINUTE;

Azure

Rule Name
• RRAS Azure VM Suspicious Execution, Persistence, Callback, and Gateway-Originated Access Correlation

Purpose
• Detect probable RRAS compromise on Azure-hosted RRAS systems using process, network, persistence, and authentication context.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Defender XDR process telemetry
• DeviceNetworkEvents
• DeviceLogonEvents or equivalent authentication telemetry
• RRAS watchlist
• Approved destination and admin-source lists

Tuning Explanation
• Restrict to known RRAS Azure VMs.
• Require suspicious service-child execution.
• Correlate with outbound traffic, persistence-related execution, or authentication activity from the same host.
• Suppress approved maintenance windows and approved admin origins.

Detection Logic
• Detect suspicious child execution from svchost.exe on RRAS hosts.
• Correlate with outbound network activity or internal authentication within five minutes.
• Include persistence or log-clearing execution where present.

Operational Context
• Best for Defender and Sentinel environments monitoring Azure-hosted RRAS systems.
• Intended for production deployment with RRAS watchlists maintained.

System-Ready Code

let rras_hosts = _GetWatchlist('rras_hosts') | project SearchKey;
let suspicious_proc =
DeviceProcessEvents
| where DeviceName in (rras_hosts)
| where InitiatingProcessFileName =~ "svchost.exe"
| where FileName in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","wevtutil.exe","schtasks.exe","sc.exe")
| where ProcessCommandLine has_any (" -enc ","Invoke-Expression","DownloadString","FromBase64String","\\"," /node:"," winrm "," cl ","Clear-EventLog","/create","create ","start= auto")
| project DeviceName, ProcTime=Timestamp, FileName, ProcessCommandLine;
let external_egress =
DeviceNetworkEvents
| where DeviceName in (rras_hosts)
| where ipv4_is_private(RemoteIP) == false
| project DeviceName, NetTime=Timestamp, RemoteIP, RemoteUrl;
let internal_auth =
DeviceLogonEvents
| where DeviceName in (rras_hosts)
| where LogonType in ("Network","RemoteInteractive")
| project DeviceName, AuthTime=Timestamp, AccountName;
suspicious_proc
| join kind=leftouter external_egress on DeviceName
| join kind=leftouter internal_auth on DeviceName
| where NetTime between (ProcTime .. ProcTime + 5m)
   or AuthTime between (ProcTime .. ProcTime + 5m)
| project ProcTime, DeviceName, FileName, ProcessCommandLine, NetTime, RemoteIP, RemoteUrl, AuthTime, AccountName

GCP

Rule Name
• RRAS GCE Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose
• Detect probable RRAS compromise on Windows Compute Engine RRAS systems through suspicious execution, persistence-related behavior, outbound callback, and gateway-originated internal access.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Google SecOps normalized UDM process events
• Network connection telemetry
• RRAS asset labels
• Approved destination allowlists

Tuning Explanation
• Restrict to assets labeled Role=RRAS.
• Require suspicious service-child execution and either outbound or east-west network follow-on.
• Use approved-destination allowlists to reduce noise.
• Flag persistence or artifact-clearing execution where observed.

Detection Logic
• Detect suspicious svchost.exe child execution on RRAS-tagged GCE Windows hosts.
• Correlate with outbound network activity or internal remote-service traffic within five minutes.

Operational Context
• Best for Google SecOps or Chronicle environments monitoring Windows gateway infrastructure.
• Intended for production use with RRAS labels maintained.

System-Ready Code

rule CYBERDAX_RRAS_GCE_Gateway_Suspicious_Execution_Callback_And_Internal_Access
{
  meta:
    author = "CyberDax"
    description = "Detects suspicious svchost child execution on RRAS-tagged GCE Windows hosts followed by outbound or internal remote-service network activity"
    severity = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.asset.labels["Role"] = "RRAS"
    $proc.target.process.parent_process.file.full_path regex `(?i)\\svchost\.exe$`
    $proc.target.process.file.full_path regex `(?i)\\(cmd|powershell|pwsh|wscript|cscript|rundll32|wmic|psexec|regsvr32|mshta|wevtutil|schtasks|sc)\.exe$`
    $proc.target.process.command_line regex `(?i)( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)`

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.asset.labels["Role"] = "RRAS"
    (
      (
        not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
        and not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
        and not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
        and not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
      )
      or
      ($net.target.port in (135,139,445,3389,5985,5986))
    )

  match:
    $proc.principal.asset.hostname over 5m

  condition:
    $proc and $net
}

S25 Ultra-Tuned Detection Engineering Rules

Suricata

Rule Name
• RRAS Gateway Exploit Pressure Detection
• RRAS Gateway Rare Callback Detection

Purpose
• Detect exploit pressure against externally exposed RRAS gateway systems.
• Detect rare outbound callback behavior from RRAS gateway hosts after likely compromise.

ATT&CK Technique

·       T1190 – Exploit Public-Facing Application

·       T1071 – Application Layer Protocol

Telemetry Dependency

Perimeter IDS visibility

·       Confirmed RRAS gateway asset list

·       Approved scanner allowlist

·       Approved RRAS egress allowlist

Tuning Explanation

·       Scope only to confirmed RRAS gateways.

·       Exclude approved scanners, health checks, monitoring systems, management systems, and vendor update destinations.

·       The inbound analytic detects exploit pressure, not confirmed exploitation.

·       The outbound analytic is tuned for rare callback behavior from RRAS gateways, which should not normally originate arbitrary internet sessions.

Detection Logic

·       Detect burst-style inbound activity against RRAS-related ports on RRAS assets.

·       Detect rare outbound HTTP, TLS, and DNS activity from RRAS hosts to destinations outside the approved RRAS egress set.

Operational Context

·       Deploy on perimeter sensors monitoring internet-facing RRAS gateways.

·       Highest-confidence use occurs when correlated with endpoint execution telemetry.

System-Ready Code

# Required variables:
# var RRAS_SERVERS [10.10.20.10,10.10.20.11]
# var APPROVED_SCANNERS [192.0.2.10,198.51.100.25]
# var APPROVED_RRAS_EGRESS [203.0.113.10,203.0.113.11]
# port-group RRAS_TCP_PORTS [1723,443]
# port-group RRAS_UDP_PORTS [500,4500,1701]

alert tcp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_TCP_PORTS (
    msg:"CYBERDAX RRAS exploit pressure on TCP-exposed gateway";
    flow:to_server;
    flags:S;
    detection_filter:track by_dst,count 80,seconds 60;
    classtype:attempted-admin;
    sid:5254001;
    rev:1;
    metadata:deployment Perimeter, attack_target Server, service rrassvc;
)

alert udp !$APPROVED_SCANNERS any -> $RRAS_SERVERS $RRAS_UDP_PORTS (
    msg:"CYBERDAX RRAS exploit pressure on UDP-exposed gateway";
    detection_filter:track by_dst,count 120,seconds 60;
    classtype:attempted-admin;
    sid:5254002;
    rev:1;
    metadata:deployment Perimeter, attack_target Server, service rrassvc;
)

alert http $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (
    msg:"CYBERDAX RRAS host rare outbound HTTP callback";
    flow:to_server,established;
    threshold:type limit, track by_src, count 1, seconds 900;
    classtype:trojan-activity;
    sid:5254003;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

alert tls $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS any (
    msg:"CYBERDAX RRAS host rare outbound TLS callback";
    flow:to_server,established;
    threshold:type limit, track by_src, count 1, seconds 900;
    classtype:trojan-activity;
    sid:5254004;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

alert dns $RRAS_SERVERS any -> !$APPROVED_RRAS_EGRESS 53 (
    msg:"CYBERDAX RRAS host rare outbound DNS query";
    flow:to_server;
    threshold:type limit, track by_src, count 2, seconds 900;
    classtype:trojan-activity;
    sid:5254005;
    rev:1;
    metadata:deployment Perimeter, stage callback;
)

SentinelOne

Rule Name

·       RRAS Service-Context Execution, Credential Access, Persistence, and Artifact-Clearing Analytic

Purpose

·       Detect likely successful RRAS exploitation by identifying suspicious service-context execution, credential-access behavior, remote administration, persistence activity, and artifact-clearing on RRAS hosts.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1003 – OS Credential Dumping

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Deep Visibility process telemetry

·       Parent-child lineage

·       Command-line visibility

·       Network connection telemetry

·       RRAS host grouping or tags

Tuning Explanation

·       Scope only to RRAS-tagged hosts.

·       Require svchost.exe parent and high-risk child binaries or high-risk command-line content.

·       Favor suspicious CLI indicators, credential-access strings, remote-admin switches, persistence creation, and log-clearing patterns.

·       Suppress approved maintenance windows and documented break-glass administration.

Detection Logic

·       Detect suspicious service-context child processes from svchost.exe on RRAS hosts.

·       Cover command execution, credential access, remote administration, persistence creation, and artifact-clearing.

·       Prioritize when followed by outbound callback or internal authentication anomalies.

Operational Context

·       Best for RRAS VPN gateways and remote-access servers.

·       Treat as high severity when correlated with network anomalies.

System-Ready Code

SentinelOne Deep Visibility Query

(
  EndpointName contains "RRAS"
  or GroupName contains "RRAS"
  or SiteName contains "RRAS"
  or ComputerName contains "RRAS"
)
and SrcProcName = "svchost.exe"
and TgtProcName in (
  "cmd.exe",
  "powershell.exe",
  "pwsh.exe",
  "wscript.exe",
  "cscript.exe",
  "rundll32.exe",
  "wmic.exe",
  "psexec.exe",
  "regsvr32.exe",
  "mshta.exe",
  "procdump.exe",
  "rubeus.exe",
  "mimikatz.exe",
  "wevtutil.exe",
  "schtasks.exe",
  "sc.exe"
)
and (
  TgtProcCmdLine contains " -enc "
  or TgtProcCmdLine contains "Invoke-Expression"
  or TgtProcCmdLine contains "DownloadString"
  or TgtProcCmdLine contains "FromBase64String"
  or TgtProcCmdLine contains "sekurlsa"
  or TgtProcCmdLine contains "lsass"
  or TgtProcCmdLine contains " /node:"
  or TgtProcCmdLine contains " winrm "
  or TgtProcCmdLine contains "\\\\"
  or TgtProcCmdLine contains " cl "
  or TgtProcCmdLine contains "Clear-EventLog"
  or TgtProcCmdLine contains "/create"
  or TgtProcCmdLine contains "create "
  or TgtProcCmdLine contains " start= auto"
)

Splunk

Rule Name
• RRAS Gateway Multi-Signal Execution, Persistence, Callback, and Account Abuse Correlation

Purpose
• Detect suspicious service-context execution on RRAS hosts and correlate it with persistence, network callback, and internal authentication behavior.

ATT&CK Technique
• T1059 – Command and Scripting Interpreter
• T1003 – OS Credential Dumping
• T1078 – Valid Accounts
• T1021 – Remote Services
• T1547 – Boot or Logon Autostart Execution
• T1070 – Indicator Removal on Host

Telemetry Dependency
• Sysmon Event ID 1 or Windows Security Event 4688
• RRAS asset lookup
• Network telemetry data model
• Windows authentication logs

Tuning Explanation
• Restrict to RRAS assets from a maintained lookup.
• Require svchost.exe parent plus suspicious child process and suspicious CLI.
• Increase confidence when the same host also shows outbound callback, persistence-related execution, or internal authentication activity.
• Suppress hosts or periods listed in approved maintenance lookups.

Detection Logic
• Detect suspicious process creation on RRAS hosts.
• Enrich with outbound network activity and internal logon or explicit-credential events from the same host.

Operational Context
• Best for SOC environments with endpoint, network, and authentication visibility.
• Designed for high-fidelity correlation, not broad hunting.

System-Ready Code

| tstats summariesonly=f allow_old_summaries=f earliest(_time) as firstTime latest(_time) as lastTime
  from datamodel=Endpoint.Processes
  where Processes.parent_process_name=svchost.exe
    Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe")
  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_guid
| rename Processes.* as *
| lookup rras_assets.csv dest OUTPUT dest as matched_dest
| where isnotnull(matched_dest)
| eval suspicious_cli=if(match(process,"(?i)( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto)"),1,0)
| where suspicious_cli=1
| join type=left process_guid [
    | tstats summariesonly=f count as netCount values(All_Traffic.dest_ip) as dest_ips
      from datamodel=Network_Traffic.All_Traffic
      by All_Traffic.process_guid
    | rename All_Traffic.process_guid as process_guid
]
| join type=left dest [
    search index=windows (EventCode=4624 OR EventCode=4648)
    | stats count as authCount values(TargetUserName) as target_users by host
    | rename host as dest
]
| eval risk_score=60 + if(netCount>0,20,0) + if(authCount>0,20,0)
| where risk_score>=80
| table firstTime lastTime dest user parent_process_name process_name process netCount dest_ips authCount target_users risk_score

Elastic

Rule Name

·       RRAS Gateway Service Execution, Persistence, and Callback Correlation

Purpose

·       Detect suspicious service-context execution on RRAS hosts and correlate it with outbound network activity or persistence-related behavior.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Elastic Defend process telemetry

·       Network telemetry

·       RRAS host role tags

Tuning Explanation\

·       Restrict to RRAS-tagged hosts.

·       Require suspicious child execution from svchost.exe plus high-risk command-line content.

·       Correlate with outbound network activity to reduce false positives.

·       Maintain allowlists for approved egress destinations.

Detection Logic

·       Detect suspicious service-child execution from RRAS hosts.

·       Correlate with outbound callback or persistence-related execution within five minutes.

Operational Context

·       Best for Elastic deployments monitoring Windows gateway assets.

System-Ready Code

sequence by host.id with maxspan=5m
  [process where host.roles : "rras_server" and
            process.parent.name == "svchost.exe" and
            process.name in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","procdump.exe","rubeus.exe","mimikatz.exe","wevtutil.exe","schtasks.exe","sc.exe") and
            process.command_line regex~ "(?i).*( -enc |invoke-expression|downloadstring|frombase64string|sekurlsa|lsass| /node:| winrm |\\\\\\\\| cl |clear-eventlog|/create|create |start= auto).*"
  ]
  [network where host.roles : "rras_server" and
            destination.ip != null and
            not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
  ]

QRadar

Rule Name

·       RRAS Gateway Multi-Signal Compromise Correlation

Purpose

·       Detect likely RRAS compromise through exploit pressure, suspicious service execution, callback behavior, gateway-originated authentication anomalies, and persistence-related execution.

ATT&CK Technique

·       T1190 – Exploit Public-Facing Application

·       T1059 – Command and Scripting Interpreter

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       QRadar CRE

·       Windows process creation events

·       Firewall, IDS, and flow telemetry

·       Authentication events

·       Reference sets for RRAS assets and approved sources

Tuning Explanation

·       Scope all logic to RRAS assets only.

·       Exclude approved scanners, approved admin sources, known maintenance activity, and approved destinations.

·       Require multi-signal chaining before offense generation.

·       Treat external callback and gateway-originated internal authentication as confidence multipliers rather than standalone high-severity events.

Detection Logic

·       Stage 1 detects inbound exploit pressure to RRAS hosts.

·       Stage 2 detects suspicious service-child execution on the same RRAS host.

·       Stage 3 correlates with either rare external callback, unusual internal authentication, or persistence-related process execution.

Operational Context

·       Best for centralized SOC environments using QRadar offense workflows.

·       Intended for production deployment on internet-facing RRAS gateway infrastructure.

System-Ready Code

Reference Set: CYBERDAX_RRAS_ASSETS
Reference Set: CYBERDAX_APPROVED_SCANNERS
Reference Set: CYBERDAX_APPROVED_RRAS_EGRESS
Reference Set: CYBERDAX_APPROVED_ADMIN_SOURCES

Building Block: CYBERDAX_RRAS_Inbound_Pressure
when destination IP is in CYBERDAX_RRAS_ASSETS
and source IP is not in CYBERDAX_APPROVED_SCANNERS
and flow direction is inbound
and destination port is one of 1723, 443, 500, 4500, 1701
and at least 80 events or 120 flows are seen with the same destination IP in 60 seconds

Building Block: CYBERDAX_RRAS_Svchost_Suspicious_Child
when destination IP is in CYBERDAX_RRAS_ASSETS
and event indicates process creation
and Parent Process is "svchost.exe"
and Process Name is one of:
  cmd.exe
  powershell.exe
  pwsh.exe
  wscript.exe
  cscript.exe
  rundll32.exe
  wmic.exe
  psexec.exe
  regsvr32.exe
  mshta.exe
  procdump.exe
  rubeus.exe
  mimikatz.exe
  wevtutil.exe
  schtasks.exe
  sc.exe

Building Block: CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing
when destination IP is in CYBERDAX_RRAS_ASSETS
and event indicates process creation
and Process Name is one of:
  schtasks.exe
  sc.exe
  wevtutil.exe
and CommandLine contains any of:
  "/create"
  "create "
  "start= auto"
  " cl "
  "Clear-EventLog"

Building Block: CYBERDAX_RRAS_New_External_Egress
when source IP is in CYBERDAX_RRAS_ASSETS
and destination IP is not private
and destination is not in CYBERDAX_APPROVED_RRAS_EGRESS
and flow direction is outbound

Building Block: CYBERDAX_RRAS_Internal_Auth_Anomaly
when source IP is in CYBERDAX_RRAS_ASSETS
and source IP is not in CYBERDAX_APPROVED_ADMIN_SOURCES
and event name is one of:
  "Successful Logon"
  "Explicit Credential Logon"
  "Kerberos Service Ticket Requested"
and destination IP is not equal to source IP

Rule: CYBERDAX RRAS Multi-Signal Compromise
when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP
followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP
within 10 minutes
then create offense
  Severity: 8
  Relevance: 8
  Credibility: 7

Rule: CYBERDAX RRAS Compromise with Callback, Auth Abuse, or Persistence
when BB:CYBERDAX_RRAS_Inbound_Pressure matches on Local Destination IP
followed by BB:CYBERDAX_RRAS_Svchost_Suspicious_Child matches on same Local Destination IP
followed by (
  BB:CYBERDAX_RRAS_New_External_Egress matches on same Source IP
  or BB:CYBERDAX_RRAS_Internal_Auth_Anomaly matches on same Source IP
  or BB:CYBERDAX_RRAS_Persistence_Or_Artifact_Clearing matches on same Local Destination IP
)
within 10 minutes
then create offense
  Severity: 9
  Relevance: 9
  Credibility: 8

Sigma

Rule Name

·       RRAS Gateway Suspicious Execution, Persistence, and Credential Access Indicators

Purpose

·       Provide portable detection content for suspicious service-context execution, credential-access indicators, persistence creation, and artifact-clearing behavior on RRAS hosts.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1003 – OS Credential Dumping

·       T1078 – Valid Accounts

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Windows process creation logs

·       RRAS host enrichment in the backend

·       Command-line logging

·       Optional backend correlation with network telemetry

Tuning Explanation

·       Scope to RRAS-tagged hosts in the SIEM backend.

·       Require svchost.exe parent plus high-risk child processes and high-risk command-line indicators.

·       Suppress approved maintenance windows and approved administrative activity.

·       This rule is intentionally restrictive to reduce noise on service hosts.

Detection Logic

·       Detect suspicious child execution from svchost.exe on RRAS hosts.

·       Cover command execution, credential-access strings, persistence creation, remote administration, and event-log clearing indicators.

Operational Context

·       Best used as portable content across SIEM backends after RRAS host scoping is applied.

·       High-confidence use when paired with gateway network anomaly detections.

System-Ready Code

title: CyberDax RRAS Gateway Suspicious Execution
id: 1b2aeb7d-4f5a-47f4-a28d-rras-s25-007
status: stable
description: Detects suspicious child process execution from svchost.exe on RRAS gateway hosts, consistent with post-exploitation, credential access, persistence, artifact-clearing, or remote administration activity.
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith: '\svchost.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\rundll32.exe'
      - '\wmic.exe'
      - '\psexec.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
      - '\procdump.exe'
      - '\rubeus.exe'
      - '\mimikatz.exe'
      - '\wevtutil.exe'
      - '\schtasks.exe'
      - '\sc.exe'
  selection_cmd:
    CommandLine|contains:
      - ' -enc '
      - 'Invoke-Expression'
      - 'DownloadString'
      - 'FromBase64String'
      - 'sekurlsa'
      - 'lsass'
      - '\\'
      - ' /node:'
      - ' winrm '
      - ' cl '
      - 'Clear-EventLog'
      - '/create'
      - 'create '
      - 'start= auto'
  condition: selection_parent and selection_child and selection_cmd
falsepositives:
  - Approved administration on RRAS gateway systems
  - Emergency remediation activity
  - Documented maintenance windows
level: high
tags:
  - attack.t1059
  - attack.t1003
  - attack.t1078
  - attack.t1547
  - attack.t1070

YARA

Rule Name

·       RRAS Gateway Post-Exploitation, Credential Access, Persistence, and Artifact-Clearing Heuristic

Purpose

·       Support DFIR and file triage on RRAS hosts by identifying suspicious loader, credential-access, persistence, and log-clearing content.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1003 – OS Credential Dumping

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       File scanning on RRAS systems

·       EDR file telemetry

·       DFIR collections

·       Optional scheduled triage scans of RRAS hosts

Tuning Explanation

·       Intended for RRAS host triage rather than direct exploit detection.

·       Use on suspected or confirmed RRAS systems or during proactive file sweeps of gateway infrastructure.

·       Rule requires multiple indicators to reduce false positives from benign administrative scripts.

Detection Logic

·       Identify files containing multiple indicators tied to loader execution, credential dumping, persistence creation, or event-log clearing.

Operational Context

·       Best for incident response, hunt, and file triage workflows on RRAS systems.

·       Not intended as a perimeter detection.

System-Ready Code

rule CYBERDAX_RRAS_Gateway_PostExploit_Persistence_ArtifactClearing_Heuristic
{
    meta:
        description = "Heuristic for suspicious post-exploitation content on RRAS gateway hosts"
        author = "CyberDax"
        scope = "RRAS gateway DFIR and file triage"
        version = "1.0"

    strings:
        $s1 = "FromBase64String" nocase
        $s2 = "DownloadString" nocase
        $s3 = "Invoke-Expression" nocase
        $s4 = "MiniDumpWriteDump" nocase
        $s5 = "sekurlsa" nocase
        $s6 = "wevtutil cl" nocase
        $s7 = "Clear-EventLog" nocase
        $s8 = "schtasks /create" nocase
        $s9 = "sc create" nocase
        $s10 = "Rubeus" nocase
        $s11 = "mimikatz" nocase

    condition:
        3 of ($s*)
}

AWS

Rule Name

·       RRAS EC2 Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose

·       Detect probable RRAS compromise on Windows EC2 RRAS hosts by correlating suspicious service-context execution with outbound callback, anomalous internal access, and persistence-related execution.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution\

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Windows process telemetry from EC2 instances

·       CloudWatch Logs or Security Lake records

·       VPC Flow Logs

·       RRAS asset tagging

·       Approved destination allowlist

Tuning Explanation

·       Scope only to EC2 instances tagged Role=RRAS.

·       Maintain allowlists for approved management, monitoring, backup, patching, and update destinations.

·       Raise highest severity when suspicious execution is followed by either rare external callback or unusual east-west access on administrative ports.

·       Use maintenance-window suppression where available.

Detection Logic

·       Detect suspicious child execution from svchost.exe on RRAS-tagged Windows EC2 instances.

·       Correlate with either external callback or internal remote-service traffic within five minutes.

·       Include persistence or artifact-clearing execution when present.

Operational Context

·       Best for AWS-hosted RRAS gateway systems.

·       Intended for production deployment with RRAS asset tagging and allowlists in place.

System-Ready Code

WITH suspicious_proc AS (
  SELECT
    host_id,
    event_time,
    process_name,
    command_line
  FROM windows_process_events
  WHERE role = 'RRAS'
    AND lower(parent_name) = 'svchost.exe'
    AND lower(process_name) IN (
      'cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe',
      'rundll32.exe','wmic.exe','psexec.exe','regsvr32.exe','mshta.exe',
      'wevtutil.exe','schtasks.exe','sc.exe'
    )
    AND regexp_like(lower(command_line),
      '( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)'
    )
),
network_followon AS (
  SELECT
    instance_id,
    from_unixtime(start_time) AS flow_time,
    dstaddr,
    dstport
  FROM vpc_flow_logs
  WHERE action = 'ACCEPT'
),
interesting_followon AS (
  SELECT
    instance_id,
    flow_time,
    dstaddr,
    dstport
  FROM network_followon
  WHERE
    NOT (
      dstaddr LIKE '10.%'
      OR dstaddr LIKE '192.168.%'
      OR regexp_like(dstaddr, '^172\\.(1[6-9]|2[0-9]|3[0-1])\\.')
      OR dstaddr LIKE '127.%'
    )
    OR dstport IN (135,139,445,3389,5985,5986)
)
SELECT
  p.host_id,
  p.event_time,
  p.process_name,
  p.command_line,
  f.dstaddr,
  f.dstport,
  f.flow_time
FROM suspicious_proc p
JOIN interesting_followon f
  ON p.host_id = f.instance_id
 AND f.flow_time BETWEEN p.event_time AND p.event_time + INTERVAL '5' MINUTE;

Azure

Rule Name

·       RRAS Azure VM Suspicious Execution, Persistence, Callback, and Gateway-Originated Access Correlation

Purpose

·       Detect probable RRAS compromise on Azure-hosted RRAS systems using process, network, persistence, and authentication context.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Defender XDR process telemetry

·       DeviceNetworkEvents

·       DeviceLogonEvents or equivalent authentication telemetry

·       RRAS watchlist

·       Approved destination and admin-source lists

Tuning Explanation

·       Restrict to known RRAS Azure VMs.

·       Require suspicious service-child execution.

·       Correlate with outbound traffic, persistence-related execution, or authentication activity from the same host.

·       Suppress approved maintenance windows and approved admin origins.

Detection Logic

·       Detect suspicious child execution from svchost.exe on RRAS hosts.

·       Correlate with outbound network activity or internal authentication within five minutes.

·       Include persistence or log-clearing execution where present.

Operational Context

·       Best for Defender and Sentinel environments monitoring Azure-hosted RRAS systems.

·       Intended for production deployment with RRAS watchlists maintained.

System-Ready Code

let rras_hosts = _GetWatchlist('rras_hosts') | project SearchKey;
let suspicious_proc =
DeviceProcessEvents
| where DeviceName in (rras_hosts)
| where InitiatingProcessFileName =~ "svchost.exe"
| where FileName in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","rundll32.exe","wmic.exe","psexec.exe","regsvr32.exe","mshta.exe","wevtutil.exe","schtasks.exe","sc.exe")
| where ProcessCommandLine has_any (" -enc ","Invoke-Expression","DownloadString","FromBase64String","\\"," /node:"," winrm "," cl ","Clear-EventLog","/create","create ","start= auto")
| project DeviceName, ProcTime=Timestamp, FileName, ProcessCommandLine;
let external_egress =
DeviceNetworkEvents
| where DeviceName in (rras_hosts)
| where ipv4_is_private(RemoteIP) == false
| project DeviceName, NetTime=Timestamp, RemoteIP, RemoteUrl;
let internal_auth =
DeviceLogonEvents
| where DeviceName in (rras_hosts)
| where LogonType in ("Network","RemoteInteractive")
| project DeviceName, AuthTime=Timestamp, AccountName;
suspicious_proc
| join kind=leftouter external_egress on DeviceName
| join kind=leftouter internal_auth on DeviceName
| where NetTime between (ProcTime .. ProcTime + 5m)
   or AuthTime between (ProcTime .. ProcTime + 5m)
| project ProcTime, DeviceName, FileName, ProcessCommandLine, NetTime, RemoteIP, RemoteUrl, AuthTime, AccountName

GCP

Rule Name

·       RRAS GCE Gateway Suspicious Execution, Persistence, Callback, and Internal Access Correlation

Purpose

·       Detect probable RRAS compromise on Windows Compute Engine RRAS systems through suspicious execution, persistence-related behavior, outbound callback, and gateway-originated internal access.

ATT&CK Technique

·       T1059 – Command and Scripting Interpreter

·       T1078 – Valid Accounts

·       T1021 – Remote Services

·       T1547 – Boot or Logon Autostart Execution

·       T1070 – Indicator Removal on Host

Telemetry Dependency

·       Google SecOps normalized UDM process events

·       Network connection telemetry

·       RRAS asset labels

·       Approved destination allowlists

Tuning Explanation

·       Restrict to assets labeled Role=RRAS.

·       Require suspicious service-child execution and either outbound or east-west network follow-on.

·       Use approved-destination allowlists to reduce noise.

·       Flag persistence or artifact-clearing execution where observed.

Detection Logic

·       Detect suspicious svchost.exe child execution on RRAS-tagged GCE Windows hosts.

·       Correlate with outbound network activity or internal remote-service traffic within five minutes.

Operational Context

·       Best for Google SecOps or Chronicle environments monitoring Windows gateway infrastructure.

·       Intended for production use with RRAS labels maintained.

System-Ready Code

rule CYBERDAX_RRAS_GCE_Gateway_Suspicious_Execution_Callback_And_Internal_Access
{
  meta:
    author = "CyberDax"
    description = "Detects suspicious svchost child execution on RRAS-tagged GCE Windows hosts followed by outbound or internal remote-service network activity"
    severity = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.asset.labels["Role"] = "RRAS"
    $proc.target.process.parent_process.file.full_path regex `(?i)\\svchost\.exe$`
    $proc.target.process.file.full_path regex `(?i)\\(cmd|powershell|pwsh|wscript|cscript|rundll32|wmic|psexec|regsvr32|mshta|wevtutil|schtasks|sc)\.exe$`
    $proc.target.process.command_line regex `(?i)( -enc |invoke-expression|downloadstring|frombase64string|\\\\| /node:| winrm | cl |clear-eventlog|/create|create |start= auto)`

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.asset.labels["Role"] = "RRAS"
    (
      (
        not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
        and not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
        and not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
        and not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
      )
      or
      ($net.target.port in (135,139,445,3389,5985,5986))
    )

  match:
    $proc.principal.asset.hostname over 5m

  condition:
    $proc and $net
}

Operational Validation Note

·       This rule set covers the validated RRAS report attack path rather than only initial exploit pressure.

·       Coverage includes exploit pressure, service-context execution, external callback, credential-access indicators, persistence-related execution, artifact-clearing, valid-account abuse, and gateway-originated lateral movement.

·       Asset scoping to RRAS gateway systems is mandatory to keep noise low.

·       Final production tuning still requires environment-specific host inventories, allowlists, and maintenance exclusions.

S26 Indicators of Compromise

Indicators associated with the RRAS vulnerability set addressed by KB5084597 and KB508497 are expected to appear primarily as behavioral and infrastructure indicators rather than static malware artifacts. Because RRAS functions as externally exposed gateway infrastructure, the earliest indicators of exploitation typically appear within network traffic patterns, gateway authentication telemetry, and infrastructure communication behavior.

Network exploitation indicators

Repeated inbound connection attempts targeting RRAS-enabled hosts

Elevated connection rates directed toward RRAS protocol ports

·       Relevant protocol exposure

·       TCP 1723 — PPTP

·       UDP 1701 — L2TP

·       UDP 500 — IKE

·       UDP 4500 — IPsec NAT-T

·       TCP 443 — SSTP VPN

Confidence assessment

·       RRAS inbound exploit pressure — Confidence: Moderate

Gateway communication indicators

·       RRAS gateway hosts initiating outbound internet communication not previously observed

·       Gateway hosts communicating with rare or previously unseen external destinations

·       Beacon-like outbound communication originating from gateway infrastructure

Confidence assessment

·       RRAS outbound callback behavior from gateway infrastructure — Confidence: High

Authentication anomaly indicators

·       Authentication attempts originating from RRAS gateway systems

·       Explicit credential logons initiated from gateway infrastructure

·       Gateway hosts authenticating to multiple internal systems within short time intervals

Relevant log artifacts

·       Event ID 4624 — Successful logon

·       Event ID 4648 — Explicit credential logon

·       Event ID 4672 — Privileged logon assigned

Confidence assessment

·       Gateway-originated authentication activity — Confidence: High

Persistence and artifact-clearing indicators

·       Scheduled task creation activity on RRAS hosts

·       Service installation originating from suspicious gateway processes

·       Event log clearing commands executed on gateway infrastructure

Relevant log artifacts

·       Event ID 4698 — Scheduled task created

·       Event ID 7045 — Service installed

·       Event ID 1102 — Audit log cleared

Confidence assessment

·       Persistence or artifact-clearing activity on gateway host — Confidence: High

Infrastructure intelligence assessment

·       No publicly attributed command-and-control infrastructure has been linked to exploitation of these vulnerabilities at the time of analysis

·       No persistent domain clusters, hosting ASN concentration patterns, or TLS certificate reuse patterns have been identified that reliably indicate active exploitation infrastructure

·       Because attacker infrastructure has not yet been attributed, defenders should prioritize behavioral indicators and gateway telemetry rather than static domain or IP indicators

Coverage interpretation

·       Static IOC coverage — Limited

·       Behavioral detection coverage — Strong when endpoint and network telemetry are correlated

S26A Threat-to-Rule Traceability Matrix

This matrix validates the CyberDax rule-accountability requirement by mapping threat behaviors to detection rules and telemetry sources.

RRAS exploit pressure targeting gateway infrastructure

MITRE technique

T1190 — Exploit Public-Facing Application

Observable signals

·       Abnormal inbound traffic targeting RRAS ports

Detection rule families

·       Suricata exploit-pressure rules

·       QRadar exploit-pressure correlation rule

Telemetry dependency

·       IDS telemetry

·       Firewall traffic logs

Coverage disposition

·       Partially Detected

RRAS service-context execution on gateway host

MITRE technique

·       T1059 — Command and Scripting Interpreter

Observable signals

·       svchost spawning command interpreters on gateway host

Detection rule families

·       SentinelOne execution detection

·       Splunk process analytics

·       Elastic execution correlation

·       Sigma portable detection rule

Telemetry dependency

·       Endpoint process telemetry

Coverage disposition

·       Detected

Credential access behavior on gateway infrastructure

MITRE technique

·       T1003 — OS Credential Dumping

Observable signals

·       Credential dumping commands

·       LSASS access indicators

Detection rule families

·       SentinelOne behavioral detection

·       Sigma rule indicators

·       YARA credential-access heuristics

Telemetry dependency

·       Endpoint memory and process telemetry

Coverage disposition

·       Partially Detected

Gateway-originated lateral movement

MITRE technique

·       T1021 — Remote Services

Observable signals

·       Gateway host authenticating to internal systems

Detection rule families

·       QRadar authentication correlation

·       Splunk authentication anomaly analytics

·       Azure authentication monitoring rules

·       GCP authentication monitoring rules

Telemetry dependency

·       Authentication logs

·       Identity telemetry

Coverage disposition

·       Detected

Command-and-control communication from gateway host

MITRE technique

·       T1071 — Application Layer Protocol

Observable signals

·       Outbound internet communication initiated by RRAS host

Detection rule families

·       Suricata callback detection

·       Elastic network correlation rule

·       AWS network telemetry analytics

·       Azure network telemetry analytics

·       GCP network telemetry analytics

Telemetry dependency

·       Network flow telemetry

·       DNS telemetry

Coverage disposition

·       Detected

Persistence and artifact-clearing activity

MITRE technique

·       T1547 — Boot or Logon Autostart Execution

·       T1070 — Indicator Removal on Host

Observable signals

·       Scheduled task creation

·       Service installation

·       Event log clearing

Detection rule families

·       SentinelOne persistence detection

·       Sigma persistence detection

·       YARA persistence indicators

Telemetry dependency

·       Endpoint process telemetry

·       Windows event logs

Coverage disposition

Partially Detected

S27 Behavior & Log Artifacts

Behavioral artifacts represent the most reliable indicators of exploitation targeting Windows Routing and Remote Access Service (RRAS) infrastructure. Because exploit code is not publicly available, detection depends on correlation of anomalous activity across the three CyberDax telemetry pillars: endpoint process telemetry, DNS or web proxy telemetry, and network communication telemetry.

Primary telemetry pillars

·       Email security gateway telemetry

·       Endpoint process telemetry

·       DNS and web proxy telemetry

Endpoint process telemetry

Primary telemetry sources

·       Endpoint detection and response platforms

·       Windows Security Logs

·       Sysmon telemetry

Relevant artifact identifiers

·       Event ID 4688 — Process creation

·       Sysmon Event ID 1 — Process creation

Behavioral artifact patterns

Parent process context

·       svchost.exe instances hosting the RemoteAccess (RRAS) service

Observed or suspicious child process indicators

·       powershell.exe

·       cmd.exe

·       rundll32.exe

·       wscript.exe

·       cscript.exe

Execution interpretation

·       svchost.exe instances hosting RRAS service components spawning command interpreters such as powershell.exe or cmd.exe may indicate exploitation or post-exploitation activity originating from RRAS service context

·       unexpected scripting engine execution originating from RRAS service processes may indicate attacker command execution or payload staging activity
repeated command interpreter execution under svchost.exe service context may indicate automated exploitation or persistence deployment activity

Suspicious command-line indicators

Encoded PowerShell execution

·       PowerShell commands containing Base64-encoded payloads

·       obfuscated PowerShell execution patterns

Download or execution functions

·       PowerShell download functions retrieving remote payloads

·       execution of remote scripts or binary payloads

Credential access indicators

·       command execution patterns associated with credential dumping tools

·       PowerShell commands referencing LSASS memory access or credential extraction utilities

Network telemetry artifacts

Primary telemetry sources

·       Firewall logs

·       IDS or IPS telemetry

·       Cloud network flow logs

Inbound network indicators

·       repeated inbound connections targeting RRAS service ports

·       distributed scanning activity targeting VPN or remote access gateway infrastructure

·       connection attempts originating from geographically distributed source addresses targeting gateway systems

Outbound network indicators

·       outbound TLS or HTTP connections originating from RRAS gateway hosts

·       unexpected external network communication originating from gateway infrastructure

·       RRAS hosts initiating outbound connections shortly after suspicious service-context execution events

·       outbound connections initiated shortly after RRAS service-context command execution events

DNS and web proxy telemetry artifacts

Primary telemetry sources

·       DNS query logs

·       Web proxy telemetry

Relevant artifact patterns

·       DNS queries originating from RRAS hosts to rare or previously unseen domains

·       DNS beaconing behavior originating from gateway infrastructure

·       periodic DNS query intervals indicating potential command-and-control communication

·       web proxy connections to newly observed domains initiated by RRAS gateway systems

Authentication telemetry artifacts

Primary telemetry sources

·       Domain controller authentication logs

·       Windows Security Logs

Relevant artifact identifiers

·       Event ID 4624 — Successful logon

·       Event ID 4648 — Explicit credential logon

·       Event ID 4672 — Privileged logon

Suspicious behavioral patterns

·       RRAS gateway hosts authenticating to multiple internal systems in rapid succession

·       gateway infrastructure initiating administrative access to internal servers

·       authentication activity originating from RRAS systems outside expected operational patterns

Persistence artifacts

Relevant artifact identifiers

·       Event ID 4698 — Scheduled task created

·       Event ID 7045 — Service installed

Persistence indicators

·       scheduled task creation originating from RRAS service context

·       installation of new services on RRAS gateway systems following suspicious execution activity

Artifact-clearing indicators

Relevant artifact identifiers

·       Event ID 1102 — Audit log cleared

Suspicious artifact patterns

·       clearing of Windows security audit logs on RRAS systems shortly after anomalous execution or authentication activity

Operational interpretation

·       correlation of suspicious RRAS service-context execution with outbound network communication or abnormal authentication activity should be treated as a strong indicator of potential compromise of gateway infrastructure

·       RRAS hosts demonstrating multiple telemetry anomalies across endpoint, network, and authentication domains should be treated as high-priority investigation targets for potential remote code execution exploitation activity

S28 Detection Strategy

The recommended detection strategy for RRAS exploitation follows the CyberDax behavioral detection model which correlates observable signals across multiple telemetry domains.

Detection engineering model

Threat behavior
→ Observable telemetry
→ Detection rule
→ SOC investigation signal

Detection stages for RRAS exploitation

Stage 1 — External exploitation attempts

·       Detect abnormal inbound connection patterns targeting RRAS gateway services

Stage 2 — Suspicious gateway execution

·       Detect service-context execution spawning scripting engines or command interpreters

Stage 3 — Command and control callback

·       Detect outbound internet connections initiated by RRAS hosts

Stage 4 — Credential access or lateral movement

·       Detect authentication activity originating from gateway systems

·       Detect remote administration activity initiated by RRAS hosts

Stage 5 — Persistence and artifact clearing

·       Detect scheduled task creation activity

·       Detect service installation events

·       Detect event log clearing commands

Detection prioritization guidance

·       Correlated telemetry signals should be treated as high-confidence compromise indicators

·       Isolated signals should trigger investigative workflows rather than immediate incident declaration

S28A Early Detection Telemetry Correlation Model

The CyberDax early-detection model identifies gateway compromise by correlating anomalies across infrastructure telemetry within defined timing windows.

Signal sequence model

Signal 1 — Exploit pressure against RRAS gateway

·       Inbound traffic spikes targeting RRAS protocol ports

Signal 2 — Suspicious service-context execution

·       svchost spawning scripting or command interpreters

Correlation timing

·       Execution event occurring within 5 minutes of exploit pressure

Signal 3 — Outbound callback behavior

·       RRAS host initiating external network communication

Correlation timing

·       Outbound communication occurring within 10 minutes of suspicious execution

Signal 4 — Authentication anomalies

·       Gateway host initiating internal authentication activity

Correlation timing

Authentication events occurring within 10 minutes of suspicious execution

Signal 5 — Persistence or artifact clearing

·       Scheduled task creation

·       Service installation

·       Event log clearing

Correlation timing

·       Persistence or artifact-clearing activity occurring within 15 minutes of suspicious execution

Operational escalation guidance

·       When three or more correlated signals occur within the defined timing windows, the event sequence should be escalated as probable gateway compromise

S29 Defensive Recommendations

Defensive recommendations translate the detection engineering and threat analysis findings into operational actions designed to reduce the likelihood of successful exploitation of RRAS gateway infrastructure and improve early detection of compromise.

Immediate remediation actions

·       Deploy Microsoft security updates KB5084597 and KB508497 to all affected systems.

·       Prioritize patch deployment on RRAS servers and externally exposed VPN infrastructure.

·       Validate patch installation through enterprise patch management telemetry.

Gateway hardening actions

·       Disable unused RRAS protocols such as PPTP where operationally feasible.

·       Restrict administrative access to RRAS servers to hardened management networks.

·       Require multi-factor authentication for administrative access to gateway infrastructure.

Network exposure reduction

·       Restrict inbound traffic to RRAS services to trusted networks where operationally possible.

·       Implement segmentation between gateway infrastructure and internal enterprise systems.

·       Deploy intrusion detection monitoring on gateway-facing network segments.

Monitoring improvements

·       Enable detailed Windows process creation logging on RRAS servers.

·       Deploy endpoint detection and response monitoring on gateway hosts.

·       Forward RRAS host logs to centralized SIEM infrastructure.

SOC operational guidance

·       Monitor inbound network activity targeting RRAS protocol ports.

·       Investigate svchost-initiated command interpreter execution on gateway hosts.

·       Investigate outbound internet communication initiated by RRAS gateway systems.

S30 Security Program Integration

This section integrates the RRAS vulnerability findings and detection guidance into enterprise security governance, vulnerability management, and SOC operational processes.

Vulnerability management integration

·       Add the RRAS vulnerability set to enterprise vulnerability tracking systems.

·       Track patch deployment progress through vulnerability management dashboards.

·       Validate patch deployment across all externally exposed gateway infrastructure.

Detection engineering integration

·       Maintain detection rules targeting service-context command execution.

·       Maintain correlation rules identifying gateway-origin authentication anomalies.

·       Maintain monitoring of outbound communications from RRAS hosts.

Security operations integration

·       Integrate gateway compromise detection scenarios into SOC monitoring procedures.

·       Incorporate RRAS exploitation indicators into threat hunting playbooks.

·       Ensure incident response teams maintain procedures for gateway infrastructure compromise.

Governance and risk integration

·       Incorporate gateway infrastructure exposure into enterprise risk registers.

·       Document patch deployment status and detection coverage for audit purposes.

·       Validate monitoring coverage during security control audits.

S31 Detection Coverage Summary

This section evaluates the current detection coverage for behaviors associated with exploitation of RRAS gateway infrastructure.

Detected behaviors

·       Gateway-origin authentication activity within internal networks.

·       Outbound command-and-control communication from gateway infrastructure.

Partially detected behaviors

·       Exploit attempts targeting RRAS network services.

·       Suspicious service-context execution on RRAS hosts when endpoint telemetry coverage is incomplete.

·       Credential access activity following gateway compromise.

·       Persistence establishment on RRAS gateway hosts.

Conditional post-exploitation behaviors

·       Not observed in currently available reporting; may occur during post-exploitation depending on attacker objectives and target environment.

·       Lateral movement using compromised gateway credentials.

·       Data exfiltration activity originating from gateway infrastructure.

·       Privilege escalation on gateway hosts.

Detection visibility assessment

·       Network telemetry provides early visibility into exploit attempts targeting gateway services.

·       Endpoint telemetry provides the most reliable detection of post-exploitation execution behavior.

·       Authentication telemetry enables detection of gateway-origin lateral movement attempts.

S32 Detection Engineering Matrix

The detection engineering matrix maps RRAS exploitation behaviors to telemetry sources and detection rule families.

Exploit pressure targeting RRAS services

Threat behavior

External attacker attempts exploitation of RRAS public-facing service.

MITRE technique

·       T1190 — Exploit Public-Facing Application.

Primary telemetry sources

·       IDS and IPS telemetry.

·       Firewall traffic logs.

Detection rule families

·       Suricata network detection rules.

·       QRadar network correlation rules.

Coverage assessment

·       Partially detected through network anomaly monitoring.

Suspicious gateway execution

Threat behavior

·       Command execution within RRAS service context.

MITRE technique

·       T1059 — Command and Scripting Interpreter.

Primary telemetry sources

·       Endpoint process telemetry.

·       Windows process creation logs.

Detection rule families

·       SentinelOne execution detection rules.

·       Splunk process analytics.

·       Elastic endpoint detection rules.

·       Sigma portable detection rules.

Coverage assessment

·       Detected when endpoint telemetry is present on gateway hosts.

Credential access behavior

Threat behavior

·       Credential theft following gateway compromise.

MITRE technique

·       T1003 — OS Credential Dumping.

Primary telemetry sources

·       Endpoint memory telemetry.

·       Windows security logs.

Detection rule families

·       SentinelOne credential access detection.

·       Sigma credential-access detection rules.

·       YARA credential artifact detection.

Coverage assessment

·       Partially detected depending on endpoint monitoring coverage.

Gateway-origin lateral movement

Threat behavior

·       Compromised RRAS host authenticates to internal systems.

MITRE technique

·       T1021 — Remote Services.

Primary telemetry sources

·       Active Directory authentication logs.

·       Identity monitoring telemetry.

Detection rule families

·       QRadar authentication correlation rules.

·       Splunk authentication anomaly analytics.

·       Azure identity monitoring analytics.

·       GCP identity monitoring analytics.

Coverage assessment

·       Detected through authentication anomaly monitoring.

Command-and-control communication

Threat behavior

·       Compromised gateway communicates with attacker infrastructure.

MITRE technique

·       T1071 — Application Layer Protocol.

Primary telemetry sources

·       Network flow telemetry.

·       DNS telemetry.

Detection rule families

·       Suricata callback detection rules.

·       Elastic network analytics.

·       AWS network telemetry analytics.

·       Azure network telemetry analytics.

·       GCP network telemetry analytics.

Coverage assessment

·       Detected through network telemetry correlation.

S33 Strategic Defensive Improvements

Strategic defensive improvements focus on strengthening enterprise security architecture to reduce the likelihood of successful exploitation of Windows Routing and Remote Access Service (RRAS) infrastructure and improve early compromise detection.

Gateway infrastructure hardening

·       Restrict administrative access to RRAS servers to hardened management networks.

·       Disable unnecessary RRAS protocols that are not required for business operations.

·       Require multi-factor authentication for administrative access to RRAS gateway systems.

Patch governance improvements

·       Integrate out-of-band security updates into enterprise patch governance workflows.

·       Prioritize patch deployment for externally exposed RRAS systems.

·       Validate patch deployment across RRAS gateway systems using enterprise vulnerability management platforms.

Telemetry visibility improvements

·       Deploy endpoint detection and response monitoring on all RRAS servers.

·       Enable detailed Windows process creation logging on RRAS gateway systems.

·       Centralize Windows security logs from RRAS systems into enterprise SIEM platforms.

Threat monitoring improvements

·       Monitor inbound network activity targeting RRAS protocol ports.

·       Monitor outbound communications initiated by RRAS gateway systems.

·       Correlate network anomalies with endpoint execution telemetry.

Control impact mapping

·       Gateway segmentation reduces attacker ability to pivot into internal networks.

·       Endpoint telemetry enables detection of service-context execution anomalies.

·       SIEM correlation enables detection of multi-stage compromise patterns.

S34 Defensive Control & Hardening Architecture

The defensive architecture for RRAS gateway systems should follow a layered security model combining preventative controls, detection telemetry, and incident response capabilities.

Perimeter protection layer

·       Firewall controls restricting inbound access to RRAS services.

·       Network intrusion detection systems monitoring traffic targeting RRAS servers.

·       Network segmentation between RRAS gateway systems and internal enterprise networks.

Endpoint protection layer

·       Endpoint detection and response monitoring deployed on RRAS hosts.

·       Host-based monitoring detecting suspicious service-context execution.\

·       Logging of command execution initiated by Windows service processes.

Identity protection layer

·       Monitoring authentication activity originating from RRAS servers.

·       Privileged account monitoring to detect credential misuse.

·       Multi-factor authentication enforcement for administrative gateway access.

Network telemetry layer

·       Network flow monitoring capturing inbound and outbound RRAS traffic.

·       DNS telemetry monitoring suspicious domain lookups from RRAS systems.

·       Proxy monitoring identifying anomalous outbound internet communication.

Security operations layer

·       SIEM correlation detecting multi-stage compromise behavior.

·       Threat hunting procedures targeting RRAS exploitation indicators.

·       Incident response procedures for RRAS gateway systems compromise.

Operational outcome

·       Layered defensive controls reduce exposure to exploitation of RRAS services.

·       Behavioral telemetry improves detection of post-exploitation activity.

·       SOC response procedures reduce attacker dwell time.

S35 Defensive Gap Analysis

Defensive gap analysis identifies areas where current controls may be insufficient to reliably detect or prevent exploitation of RRAS gateway systems.

Exposure gaps

·       RRAS servers directly exposed to the internet increase the likelihood of exploitation attempts.

·       Legacy VPN protocols such as PPTP may increase attack surface exposure.

Telemetry gaps

·       Organizations lacking endpoint telemetry on RRAS systems have limited visibility into post-exploitation activity.

·       Lack of DNS monitoring reduces the ability to identify command-and-control communication.

Detection gaps

·       Network scanning activity targeting RRAS services may resemble routine internet traffic.

·       Credential theft performed entirely in memory may evade signature-based detection mechanisms.

Operational gaps

·       Security teams may lack detection rules specifically targeting RRAS service-context execution behavior.

·       Incident response playbooks may not specifically address RRAS gateway compromise scenarios.

Risk interpretation

·       RRAS gateway systems represents a high-value attack surface due to its position between external networks and internal systems.

·       Detection strategies must prioritize behavioral monitoring rather than static indicators.

S36 Intelligence Maturity Assessment

The CyberDax Intelligence Maturity Model evaluates organizational readiness to detect and respond to exploitation of public-facing RRAS gateway systems vulnerabilities.

Threat detection maturity

·       Organizations with endpoint telemetry and SIEM correlation have higher probability of detecting RRAS compromise.

·       Organizations relying solely on firewall logs have limited visibility into post-exploitation behavior.

Telemetry coverage maturity

·       Mature environments collect endpoint process telemetry from RRAS gateway systems.

·       Mature environments correlate network, endpoint, and authentication telemetry.

Detection engineering maturity

·       Mature SOC environments maintain detection rules targeting RRAS service-context command execution.

·       Mature SOC environments maintain correlation rules identifying gateway-origin authentication anomalies.

Response readiness maturity

·       Mature organizations maintain incident response procedures addressing RRAS gateway systems compromise.

·       Mature organizations conduct threat hunting targeting RRAS exploitation behaviors.

Control effectiveness score

·       Preventative controls effectiveness — Moderate.

·       Detection capability effectiveness — Moderate to High when endpoint telemetry is deployed.

·       Response readiness effectiveness — Variable depending on SOC maturity.

Audit evidence statement

Patch deployment evidence can be validated through enterprise patch management systems.

·       Monitoring coverage evidence can be validated through SIEM telemetry ingestion records.

·       Endpoint protection coverage can be validated through EDR deployment inventories.

Security program integration note

·       RRAS gateway systems should be incorporated into enterprise vulnerability management workflows.

·       Detection engineering teams should maintain behavioral rules targeting RRAS execution anomalies.

Security architecture teams should prioritize segmentation and monitoring of internet-facing services.

S37 Defensive Implementation Roadmap

The defensive implementation roadmap provides a prioritized sequence of actions organizations should take to reduce exposure to exploitation of Windows Routing and Remote Access Service (RRAS) infrastructure and improve detection capability.

Immediate actions

·       Deploy Microsoft security updates addressing CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 across all affected Windows systems.

·       Validate patch deployment on RRAS servers through enterprise patch management platforms.

·       Review firewall policies governing RRAS services and restrict inbound access to trusted networks where operationally feasible.

Short-term improvements

·       Deploy endpoint detection and response monitoring on all RRAS servers.

·       Enable detailed Windows process creation logging on RRAS gateway systems.

·       Forward Windows security logs from RRAS hosts to centralized SIEM platforms.

·       Deploy network intrusion detection monitoring for traffic targeting RRAS protocol ports.

Medium-term improvements

·       Segment RRAS gateway systems from internal enterprise networks using network access control policies.

·       Implement multi-factor authentication for administrative access to RRAS servers.

·       Integrate RRAS compromise scenarios into SOC monitoring procedures and incident response playbooks.

Long-term security posture improvements

·       Establish regular validation of externally exposed services within enterprise vulnerability management workflows.

·       Conduct periodic threat hunting focused on public-facing infrastructure compromise patterns.

·       Integrate gateway infrastructure monitoring into enterprise attack surface management programs.

S38 Detection Improvement Projection

Detection improvement projection evaluates how security posture improves as recommended monitoring controls and telemetry coverage are implemented.

Baseline detection posture

·       Organizations relying primarily on firewall telemetry have limited visibility into post-exploitation activity on RRAS gateway systems.

·       Detection capability is primarily limited to observing inbound network scanning activity.

Enhanced detection posture with endpoint telemetry

·       Endpoint detection and response monitoring enables detection of suspicious service-context execution on RRAS hosts.

·       Process creation telemetry enables correlation of command interpreter activity initiated by Windows service processes.

Enhanced detection posture with telemetry correlation

·       SIEM correlation of endpoint, authentication, and network telemetry enables detection of multi-stage compromise patterns.

·       Gateway-origin authentication anomalies can be identified through centralized identity telemetry.

Advanced detection posture

·       Mature organizations implement threat hunting procedures targeting suspicious activity originating from gateway infrastructure.

·       Behavioral analytics detect anomalous outbound communication patterns from RRAS servers.

Operational outcome

·       Improved telemetry coverage reduces attacker dwell time.

·       Early detection of compromise activity increases probability of containment before lateral movement occurs.

S39 Strategic Lessons Learned

Strategic lessons learned highlight broader defensive insights derived from analysis of the RRAS vulnerability set.

Public-facing infrastructure risk

·       The availability of an out-of-band hot patch indicates Microsoft considered the vulnerabilities operationally significant; however, there is no confirmed evidence of active exploitation at the time of this analysis

·       RRAS gateway systems should be treated as critical security infrastructure within enterprise risk management programs.

Detection strategy lessons

·       Behavioral detection techniques provide stronger protection than static indicators for infrastructure exploitation scenarios.

·       Telemetry correlation across network, endpoint, and authentication sources significantly improves compromise detection capability.

Operational security lessons

·       Gateway infrastructure should be included within enterprise threat hunting programs.

·       Incident response playbooks should explicitly address compromise of RRAS gateway systems.

Security architecture lessons

·       Segmentation of externally exposed infrastructure reduces the potential impact of successful exploitation.

·       Defense-in-depth monitoring controls provide resilience against exploitation of previously unknown vulnerabilities.

S40 References

Vendor Advisory
Microsoft advisory describing security fixes addressing CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111

·       hxxps://support.microsoft[.]com/en-us/topic/march-13-2026-hotpatch-kb5084597-os-builds-26200-7982-and-26100-7982-out-of-band-ef323fee-e70f-4f43-8bbc-1021c435bf5c

Vulnerability Records
MITRE CVE record for CVE-2026-25172

·       hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25172

MITRE CVE record for CVE-2026-25173

·       hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25173

MITRE CVE record for CVE-2026-26111

·       hxxps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26111

Known Exploited Vulnerabilities (KEV)
CISA Known Exploited Vulnerabilities Catalog

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

Analytical Framework
MITRE ATT&CK Framework

·       hxxps://attack.mitre.org