sigmamediumHunting

Remote Access Tool Services Have Been Installed - Security

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

MITRE ATT&CK

T1543.003 T1569.002

privilege-escalationpersistenceexecution

Detection Query

selection:
  EventID: 4697
  ServiceName|contains:
    - AmmyyAdmin
    - AnyDesk
    - Atera
    - BASupportExpressSrvcUpdater
    - BASupportExpressStandaloneService
    - chromoting
    - GoToAssist
    - GoToMyPC
    - jumpcloud
    - LMIGuardianSvc
    - LogMeIn
    - monblanking
    - Parsec
    - RManService
    - RPCPerformanceService
    - RPCService
    - SplashtopRemoteService
    - SSUService
    - TeamViewer
    - TightVNC
    - vncserver
    - Zoho
condition: selection

Author

Connor Martin, Nasreddine Bencherchali (Nextron Systems)

Created

2022-12-23

Data Sources

windowssecurity

Platforms

windows

References

https://redcanary.com/blog/misbehaving-rats/

Tags

attack.privilege-escalationattack.persistenceattack.executionattack.t1543.003attack.t1569.002

Raw Content

title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium