the rule doesn't look for anything suspicious so false positives are expected. if you use one of the tools mentioned, comment it out

t1543
t1543.003
t1569
t1569.002
windows
sigma

Techniques

t1543
t1543.003
t1569
t1569.002

Sample rules

Remote Access Tool Services Have Been Installed - Security

source: sigma
technicques:
- t1543
- t1543.003
- t1569
- t1569.002

Description

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Detection logic

condition: selection
selection:
  EventID: 4697
  ServiceName|contains:
  - AmmyyAdmin
  - AnyDesk
  - Atera
  - BASupportExpressSrvcUpdater
  - BASupportExpressStandaloneService
  - chromoting
  - GoToAssist
  - GoToMyPC
  - jumpcloud
  - LMIGuardianSvc
  - LogMeIn
  - monblanking
  - Parsec
  - RManService
  - RPCPerformanceService
  - RPCService
  - SplashtopRemoteService
  - SSUService
  - TeamViewer
  - TightVNC
  - vncserver
  - Zoho