Detectionmediumtest

Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Connor Martin, Nasreddine Bencherchali (Nextron Systems)Created Fri Dec 23Updated Thu Jun 221a31b18a-f00c-4061-9900-f735b96c99fcwindows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection