Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Remote Utilities Host Service Install

Detects Remote Utilities Host service installation on the target system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 3185cce894-dd8b-4427-a958-5cc47a4dc9b9windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
    # Example:
    #   <EventData>
    #       <Data Name="ServiceName">Remote Utilities - Host</Data>
    #       <Data Name="ImagePath">"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service</Data>
    #       <Data Name="ServiceType">user mode service</Data>
    #       <Data Name="StartType">auto start</Data>
    #       <Data Name="AccountName">LocalSystem</Data>
    #   </EventData>
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains|all:
              - '\rutserv.exe'
              - '-service'
        - ServiceName: 'Remote Utilities - Host'
    condition: all of selection_*
False Positives

Legitimate use of the tool

References
1
Resolving title…
remoteutilities.com
MITRE ATT&CK
Rule Metadata
Rule ID
85cce894-dd8b-4427-a958-5cc47a4dc9b9
Status
test
Level
medium
Type
Detection
Created
Mon Oct 31
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml
Raw Tags
attack.persistence
View on GitHub