RemCom Service Installation
Detects RemCom service installation and execution events
Sigma rule (View on GitHub)
1title: RemCom Service Installation
2id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
3status: test
4description: Detects RemCom service installation and execution events
5references:
6 - https://github.com/kavika13/RemCom/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-07
9tags:
10 - attack.execution
11 - attack.t1569.002
12logsource:
13 product: windows
14 service: system
15detection:
16 selection_eid:
17 Provider_Name: 'Service Control Manager'
18 EventID: 7045
19 selection_service:
20 - ServiceName: 'RemComSvc'
21 - ImagePath|endswith: '\RemComSvc.exe'
22 condition: all of selection_*
23falsepositives:
24 - Unknown
25level: medium
References
-
Remote Command Executor: A OSS replacement for PsExec and RunAs - or Telnet without having to install a server. Take your pick :) - kavika13/RemCom
Read More
Related rules
- CSExec Service File Creation
- CSExec Service Installation
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Credential Dumping Tools Service Execution - Security