Remote Access Tool Services Have Been Installed - Security

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Sigma rule (View on GitHub)

 1title: Remote Access Tool Services Have Been Installed - Security
 2id: c8b00925-926c-47e3-beea-298fd563728e
 3related:
 4    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
 5      type: similar
 6status: test
 7description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
 8references:
 9    - https://redcanary.com/blog/misbehaving-rats/
10author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
11date: 2022-12-23
12modified: 2024-12-07
13tags:
14    - attack.persistence
15    - attack.t1543.003
16    - attack.t1569.002
17logsource:
18    product: windows
19    service: security
20    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
21detection:
22    selection:
23        EventID: 4697
24        ServiceName|contains:
25            # Based on https://github.com/SigmaHQ/sigma/pull/2841
26            - 'AmmyyAdmin' # https://www.ammyy.com/en/
27            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
28            - 'Atera'
29            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
30            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
31            - 'chromoting'
32            - 'GoToAssist' # https://www.goto.com/it-management/resolve
33            - 'GoToMyPC' # https://get.gotomypc.com/
34            - 'jumpcloud'
35            - 'LMIGuardianSvc' # https://www.logmein.com/
36            - 'LogMeIn' # https://www.logmein.com/
37            - 'monblanking'
38            - 'Parsec'
39            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
40            - 'RPCPerformanceService' # https://www.remotepc.com/
41            - 'RPCService' # https://www.remotepc.com/
42            - 'SplashtopRemoteService' # https://www.splashtop.com/
43            - 'SSUService'
44            - 'TeamViewer'
45            - 'TightVNC' # https://www.tightvnc.com/
46            - 'vncserver'
47            - 'Zoho'
48    condition: selection
49falsepositives:
50    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
51level: medium

References

Related rules

to-top