Remote Access Tool Services Have Been Installed - System

calendar May 20, 2025 · attack.persistence attack.execution attack.t1543.003 attack.t1569.002  ·
Share on: linkedin copy

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Sigma rule (View on GitHub)

 1title: Remote Access Tool Services Have Been Installed - System
 2id: 1a31b18a-f00c-4061-9900-f735b96c99fc
 3related:
 4    - id: c8b00925-926c-47e3-beea-298fd563728e
 5      type: similar
 6status: test
 7description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
 8references:
 9    - https://redcanary.com/blog/misbehaving-rats/
10author: Connor Martin, Nasreddine Bencherchali
11date: 2022-12-23
12modified: 2023-06-22
13tags:
14    - attack.persistence
15    - attack.execution
16    - attack.t1543.003
17    - attack.t1569.002
18logsource:
19    product: windows
20    service: system
21detection:
22    selection:
23        Provider_Name: 'Service Control Manager'
24        EventID:
25            - 7045
26            - 7036
27        ServiceName|contains:
28            # Based on https://github.com/SigmaHQ/sigma/pull/2841
29            - 'AmmyyAdmin' # https://www.ammyy.com/en/
30            - 'Atera'
31            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
32            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
33            - 'chromoting'
34            - 'GoToAssist' # https://www.goto.com/it-management/resolve
35            - 'GoToMyPC' # https://get.gotomypc.com/
36            - 'jumpcloud'
37            - 'LMIGuardianSvc' # https://www.logmein.com/
38            - 'LogMeIn' # https://www.logmein.com/
39            - 'monblanking'
40            - 'Parsec'
41            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
42            - 'RPCPerformanceService' # https://www.remotepc.com/
43            - 'RPCService' # https://www.remotepc.com/
44            - 'SplashtopRemoteService' # https://www.splashtop.com/
45            - 'SSUService'
46            - 'TeamViewer'
47            - 'TightVNC' # https://www.tightvnc.com/
48            - 'vncserver'
49            - 'Zoho'
50    condition: selection
51falsepositives:
52    - Unknown
53level: medium

References

Related rules

to-top