Techniques
Sample rules
Windows Service Create RemComSvc
- source: splunk
- technicques:
- T1543.003
- T1543
Description
The following analytic identifies RemComSvc installed on an endpoint. This typically occurs when someone is moving laterally with RemCom.exe.
Detection logic
`wineventlog_system` EventCode=7045 ServiceName="RemCom Service"
| stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_create_remcomsvc_filter`