The RemCom Service File Creation rule detects the creation of a known default RemCom service file, which is a strong indicator of adversary installation and execution of the RemCom malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential RemCom-based attacks before they escalate.
Detection Rule
title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
- https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\RemComSvc.exe'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith "\\RemComSvc.exe"Scenario: Scheduled Job for RemCom Service Configuration
Description: A system administrator schedules a job to configure or update the RemCom service using a legitimate tool like schtasks.exe or Task Scheduler.
Filter/Exclusion: Exclude file creation events where the file path contains RemCom and the process is schtasks.exe or Task Scheduler with a known job name.
Scenario: RemCom Service Installation via MSI Package
Description: The enterprise deploys the RemCom service via an MSI installer, which creates the default service file during installation.
Filter/Exclusion: Exclude file creation events where the process is msiexec.exe and the file path matches the known RemCom installation directory.
Scenario: System Update or Patching Tool Creates RemCom File
Description: A patching tool like Windows Update or WSUS creates the RemCom service file as part of a system update or patching process.
Filter/Exclusion: Exclude file creation events where the process is wusa.exe, wuauclt.exe, or svcpack.exe and the file path is within the system update directory.
Scenario: RemCom Service File Created by a Legitimate Configuration Tool
Description: A configuration management tool like Chef, Puppet, or Ansible creates the RemCom service file as part of a configuration deployment.
Filter/Exclusion: Exclude file creation events where the process is chef-client.exe, puppet.exe, or ansible.exe and the file path is within a known configuration directory.
Scenario: RemCom Service File Created by a Third-Party Monitoring Tool
Description: A third-party monitoring or logging tool (e.g., Splunk, Datadog, or Logstash) creates