Remote Utilities Host Service Install
Detects Remote Utilities Host service installation on the target system.
Sigma rule (View on GitHub)
1title: Remote Utilities Host Service Install
2id: 85cce894-dd8b-4427-a958-5cc47a4dc9b9
3status: test
4description: Detects Remote Utilities Host service installation on the target system.
5references:
6 - https://www.remoteutilities.com/support/kb/host-service-won-t-start/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-31
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 # Example:
16 # <EventData>
17 # <Data Name="ServiceName">Remote Utilities - Host</Data>
18 # <Data Name="ImagePath">"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service</Data>
19 # <Data Name="ServiceType">user mode service</Data>
20 # <Data Name="StartType">auto start</Data>
21 # <Data Name="AccountName">LocalSystem</Data>
22 # </EventData>
23 selection_root:
24 Provider_Name: 'Service Control Manager'
25 EventID: 7045
26 selection_service:
27 - ImagePath|contains|all:
28 - '\rutserv.exe'
29 - '-service'
30 - ServiceName: 'Remote Utilities - Host'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate use of the tool
34level: medium
References
-
Learn symptoms and solutions of the Remote Utilities Host service not starting on a remote computer.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint