Important Windows Service Terminated With Error

calendar Mar 1, 2024 · attack.defense_evasion  ·
Share on: linkedin copy

Detects important or interesting Windows services that got terminated for whatever reason

Sigma rule (View on GitHub)

 1title: Important Windows Service Terminated With Error
 2id: d6b5520d-3934-48b4-928c-2aa3f92d6963
 3related:
 4    - id: acfa2210-0d71-4eeb-b477-afab494d596c
 5      type: similar
 6status: test
 7description: Detects important or interesting Windows services that got terminated for whatever reason
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/04/14
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    service: system
17detection:
18    selection_eid:
19        Provider_Name: 'Service Control Manager'
20        EventID: 7023 # The X Service service terminated with the following error
21    selection_name:
22        - param1|contains:
23              # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different
24              - ' Antivirus'
25              - ' Firewall'
26              - 'Application Guard'
27              - 'BitLocker Drive Encryption Service'
28              - 'Encrypting File System'
29              - 'Microsoft Defender'
30              - 'Threat Protection'
31              - 'Windows Event Log'
32        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
33        - Binary|contains:
34              - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service)
35              - '4500760065006e0074004c006f006700' # EventLog
36              - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall)
37              - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service)
38              - '450046005300' # EFS (Encrypting File System)
39              - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service)
40    condition: all of selection_*
41falsepositives:
42    - Rare false positives could occur since service termination could happen due to multiple reasons
43level: high

References

Related rules

to-top