LoFP / legitimate use of the tool

Techniques

• t1219
• t1543
• t1543.003

Sample rules

TacticalRMM Service Installation

• source: sigma
• technicques:
  • t1219

Description

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains: tacticalrmm.exe
- ServiceName|contains: TacticalRMM Agent Service

NetSupport Manager Service Install

• source: sigma
• technicques:

Description

Detects NetSupport Manager service installation on the target system.

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains: \NetSupport Manager\client32.exe
- ServiceName: Client32

Remote Utilities Host Service Install

• source: sigma
• technicques:

Description

Detects Remote Utilities Host service installation on the target system.

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains|all:
  - \rutserv.exe
  - -service
- ServiceName: Remote Utilities - Host

New PDQDeploy Service - Client Side

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name “PDQDeployRunner-X” where “X” is an integer starting from 1

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains: PDQDeployRunner-
- ServiceName|startswith: PDQDeployRunner-

New PDQDeploy Service - Server Side

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains: PDQDeployService.exe
- ServiceName:
  - PDQDeploy
  - PDQ Deploy

Mesh Agent Service Installation

• source: sigma
• technicques:
  • t1219

Description

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Detection logic

condition: all of selection_*
selection_root:
  EventID: 7045
  Provider_Name: Service Control Manager
selection_service:
- ImagePath|contains: MeshAgent.exe
- ServiceName|contains: Mesh Agent