Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
Sigma rule (View on GitHub)
1title: Windows Service Terminated With Error
2id: acfa2210-0d71-4eeb-b477-afab494d596c
3related:
4 - id: d6b5520d-3934-48b4-928c-2aa3f92d6963
5 type: similar
6status: test
7description: Detects Windows services that got terminated for whatever reason
8references:
9 - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-04-14
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 service: system
17detection:
18 selection:
19 Provider_Name: 'Service Control Manager'
20 EventID: 7023 # The X Service service terminated with the following error
21 condition: selection
22falsepositives:
23 - False positives could occur since service termination could happen due to multiple reasons
24level: low
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity