Important Windows Service Terminated With Error
Detects important or interesting Windows services that got terminated for whatever reason
Sigma rule (View on GitHub)
1title: Important Windows Service Terminated With Error
2id: d6b5520d-3934-48b4-928c-2aa3f92d6963
3related:
4 - id: acfa2210-0d71-4eeb-b477-afab494d596c
5 type: similar
6status: test
7description: Detects important or interesting Windows services that got terminated for whatever reason
8references:
9 - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-04-14
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 service: system
17detection:
18 selection_eid:
19 Provider_Name: 'Service Control Manager'
20 EventID: 7023 # The X Service service terminated with the following error
21 selection_name:
22 - param1|contains:
23 # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different
24 - ' Antivirus'
25 - ' Firewall'
26 - 'Application Guard'
27 - 'BitLocker Drive Encryption Service'
28 - 'Encrypting File System'
29 - 'Microsoft Defender'
30 - 'Threat Protection'
31 - 'Windows Event Log'
32 # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
33 - Binary|contains:
34 - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service)
35 - '4500760065006e0074004c006f006700' # EventLog
36 - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall)
37 - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service)
38 - '450046005300' # EFS (Encrypting File System)
39 - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service)
40 condition: all of selection_*
41falsepositives:
42 - Rare false positives could occur since service termination could happen due to multiple reasons
43level: high
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity