RemComSvc Logs
Overview
Section titled “Overview”Evidence: RemComSvc Logs
Description: Collect RemComSvc Logs
Category: Applications
Platform: windows
Short Name: rmcmsvcl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”RemCom is a remote command execution tool (similar to PsExec) that maintains service logs tracking remote command executions and connections. The tool is used for remote administration but can be abused by attackers.
Data Collected
Section titled “Data Collected”This collector gathers structured data about remcomsvc logs.
Collection Method
Section titled “Collection Method”This collector gathers RemComSvc log files from the Windows system directories tracking remote command execution and service activity.
Forensic Value
Section titled “Forensic Value”RemCom logs are critical for investigating lateral movement, remote command execution, and privilege escalation. They reveal commands executed remotely, connection sources, and can identify attacker activity during post-exploitation phases.