Remote Access Tool Services Have Been Installed - System
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Sigma rule (View on GitHub)
1title: Remote Access Tool Services Have Been Installed - System
2id: 1a31b18a-f00c-4061-9900-f735b96c99fc
3related:
4 - id: c8b00925-926c-47e3-beea-298fd563728e
5 type: similar
6status: test
7description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
8references:
9 - https://redcanary.com/blog/misbehaving-rats/
10author: Connor Martin, Nasreddine Bencherchali
11date: 2022-12-23
12modified: 2023-06-22
13tags:
14 - attack.persistence
15 - attack.t1543.003
16 - attack.t1569.002
17logsource:
18 product: windows
19 service: system
20detection:
21 selection:
22 Provider_Name: 'Service Control Manager'
23 EventID:
24 - 7045
25 - 7036
26 ServiceName|contains:
27 # Based on https://github.com/SigmaHQ/sigma/pull/2841
28 - 'AmmyyAdmin' # https://www.ammyy.com/en/
29 - 'Atera'
30 - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
31 - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
32 - 'chromoting'
33 - 'GoToAssist' # https://www.goto.com/it-management/resolve
34 - 'GoToMyPC' # https://get.gotomypc.com/
35 - 'jumpcloud'
36 - 'LMIGuardianSvc' # https://www.logmein.com/
37 - 'LogMeIn' # https://www.logmein.com/
38 - 'monblanking'
39 - 'Parsec'
40 - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
41 - 'RPCPerformanceService' # https://www.remotepc.com/
42 - 'RPCService' # https://www.remotepc.com/
43 - 'SplashtopRemoteService' # https://www.splashtop.com/
44 - 'SSUService'
45 - 'TeamViewer'
46 - 'TightVNC' # https://www.tightvnc.com/
47 - 'vncserver'
48 - 'Zoho'
49 condition: selection
50falsepositives:
51 - Unknown
52level: medium
References
Related rules
- CosmicDuke Service Installation
- Malicious Service Installations
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System