Windows Service Terminated With Error

Mar 1, 2024 · attack.defense_evasion ·

Detects Windows services that got terminated for whatever reason

Sigma rule (View on GitHub)

 1title: Windows Service Terminated With Error
 2id: acfa2210-0d71-4eeb-b477-afab494d596c
 3related:
 4    - id: d6b5520d-3934-48b4-928c-2aa3f92d6963
 5      type: similar
 6status: test
 7description: Detects Windows services that got terminated for whatever reason
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/04/14
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    service: system
17detection:
18    selection:
19        Provider_Name: 'Service Control Manager'
20        EventID: 7023 # The X Service service terminated with the following error
21    condition: selection
22falsepositives:
23    - False positives could occur since service termination could happen due to multiple reasons
24level: low

References

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Read More

Windows Service Terminated With Error

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Related rules