Remote Access Tool Services Have Been Installed - System

Severity: medium
Author: Connor Martin, Nasreddine Bencherchali
Source: upstream

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1569.002` System Services: Service Execution
Persistence	`T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543.003` Create or Modify System Process: Windows Service

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7036
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `selection`

or:
ServiceName|contains: AmmyyAdmin
ServiceName|contains: Atera
ServiceName|contains: BASupportExpressSrvcUpdater
ServiceName|contains: 'BASupportExpressStandaloneService'
ServiceName|contains: GoToAssist
ServiceName|contains: GoToMyPC
ServiceName|contains: LMIGuardianSvc
ServiceName|contains: LogMeIn
ServiceName|contains: Parsec
ServiceName|contains: RManService
ServiceName|contains: RPCPerformanceService
ServiceName|contains: RPCService
ServiceName|contains: SSUService
ServiceName|contains: SplashtopRemoteService
ServiceName|contains: TeamViewer
ServiceName|contains: TightVNC
ServiceName|contains: Zoho
ServiceName|contains: chromoting
ServiceName|contains: jumpcloud
ServiceName|contains: monblanking
ServiceName|contains: vncserver
Provider_Name: 'Service Control Manager'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Provider_Name`	eq	`Service Control Manager` corpus 43 (sigma 43)
`ServiceName`	match	`AmmyyAdmin` corpus 2 (sigma 2) `Atera` corpus 2 (sigma 2) `BASupportExpressSrvcUpdater` corpus 2 (sigma 2) `BASupportExpressStandaloneService` corpus 2 (sigma 2) `GoToAssist` corpus 2 (sigma 2) `GoToMyPC` corpus 2 (sigma 2) `LMIGuardianSvc` corpus 2 (sigma 2) `LogMeIn` corpus 2 (sigma 2) `Parsec` corpus 2 (sigma 2) `RManService` corpus 2 (sigma 2) `RPCPerformanceService` corpus 2 (sigma 2) `RPCService` corpus 2 (sigma 2) `SSUService` corpus 2 (sigma 2) `SplashtopRemoteService` corpus 2 (sigma 2) `TeamViewer` corpus 2 (sigma 2) `TightVNC` corpus 2 (sigma 2) `Zoho` corpus 2 (sigma 2) `chromoting` corpus 2 (sigma 2) `jumpcloud` corpus 2 (sigma 2) `monblanking` corpus 2 (sigma 2) `vncserver` corpus 2 (sigma 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

HackTool Service Registration or Execution [sigma] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

HackTool Service Registration or Execution [sigma]