
Summary
This detection rule identifies the installation of the Remote Utilities Host service on Windows systems by monitoring the event logs generated by the Service Control Manager (SCM). The specific event of interest is Event ID 7045, which indicates a new service installation. The rule looks for specific indicators that confirm the installation of the service, particularly the presence of the executable 'rutserv.exe' with the '-service' argument in its image path and the service name 'Remote Utilities - Host'. If both conditions are met, the rule flags the event as a potential indication of persistence activity by an attacker using this remote administration tool. The rule effectively balances the need for alerting against the risk of false positives, recognizing that this software may have legitimate uses in administrative contexts.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Service
- Logon Session
Created: 2022-10-31