Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Sigma rule (View on GitHub)

 1title: Remote Access Tool Services Have Been Installed - System
 2id: 1a31b18a-f00c-4061-9900-f735b96c99fc
 3related:
 4    - id: c8b00925-926c-47e3-beea-298fd563728e
 5      type: similar
 6status: test
 7description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
 8references:
 9    - https://redcanary.com/blog/misbehaving-rats/
10author: Connor Martin, Nasreddine Bencherchali
11date: 2022-12-23
12modified: 2023-06-22
13tags:
14    - attack.persistence
15    - attack.t1543.003
16    - attack.t1569.002
17logsource:
18    product: windows
19    service: system
20detection:
21    selection:
22        Provider_Name: 'Service Control Manager'
23        EventID:
24            - 7045
25            - 7036
26        ServiceName|contains:
27            # Based on https://github.com/SigmaHQ/sigma/pull/2841
28            - 'AmmyyAdmin' # https://www.ammyy.com/en/
29            - 'Atera'
30            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
31            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
32            - 'chromoting'
33            - 'GoToAssist' # https://www.goto.com/it-management/resolve
34            - 'GoToMyPC' # https://get.gotomypc.com/
35            - 'jumpcloud'
36            - 'LMIGuardianSvc' # https://www.logmein.com/
37            - 'LogMeIn' # https://www.logmein.com/
38            - 'monblanking'
39            - 'Parsec'
40            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
41            - 'RPCPerformanceService' # https://www.remotepc.com/
42            - 'RPCService' # https://www.remotepc.com/
43            - 'SplashtopRemoteService' # https://www.splashtop.com/
44            - 'SSUService'
45            - 'TeamViewer'
46            - 'TightVNC' # https://www.tightvnc.com/
47            - 'vncserver'
48            - 'Zoho'
49    condition: selection
50falsepositives:
51    - Unknown
52level: medium

References

Related rules

to-top