Detection rules › Sigma
Remote Access Tool Services Have Been Installed - Security
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4697 | A service was installed in the system. |
Rule body yaml
title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
- id: 1a31b18a-f00c-4061-9900-f735b96c99fc
type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceName|contains:
# Based on https://github.com/SigmaHQ/sigma/pull/2841
- 'AmmyyAdmin' # https://www.ammyy.com/en/
- 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
- 'Atera'
- 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
- 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
- 'chromoting'
- 'GoToAssist' # https://www.goto.com/it-management/resolve
- 'GoToMyPC' # https://get.gotomypc.com/
- 'jumpcloud'
- 'LMIGuardianSvc' # https://www.logmein.com/
- 'LogMeIn' # https://www.logmein.com/
- 'monblanking'
- 'Parsec'
- 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
- 'RPCPerformanceService' # https://www.remotepc.com/
- 'RPCService' # https://www.remotepc.com/
- 'SplashtopRemoteService' # https://www.splashtop.com/
- 'SSUService'
- 'TeamViewer'
- 'TightVNC' # https://www.tightvnc.com/
- 'vncserver'
- 'Zoho'
condition: selection
falsepositives:
- The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
EventID: 4697
ServiceName|contains:
- 'AmmyyAdmin'
- 'AnyDesk'
- 'Atera'
- 'BASupportExpressSrvcUpdater'
- 'BASupportExpressStandaloneService'
- 'chromoting'
- 'GoToAssist'
- 'GoToMyPC'
- 'jumpcloud'
- 'LMIGuardianSvc'
- 'LogMeIn'
- 'monblanking'
- 'Parsec'
- 'RManService'
- 'RPCPerformanceService'
- 'RPCService'
- 'SplashtopRemoteService'
- 'SSUService'
- 'TeamViewer'
- 'TightVNC'
- 'vncserver'
- 'Zoho'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ServiceName | match |
|