Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
Sigma rule (View on GitHub)
1title: Important Windows Service Terminated Unexpectedly
2id: 56abae0c-6212-4b97-adc0-0b559bb950c3
3status: test
4description: Detects important or interesting Windows services that got terminated unexpectedly.
5references:
6 - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-04-14
9tags:
10 - attack.defense-evasion
11logsource:
12 product: windows
13 service: system
14detection:
15 selection_eid:
16 Provider_Name: 'Service Control Manager'
17 EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).
18 selection_name:
19 # Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different
20 - param1|contains: 'Message Queuing'
21 # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
22 - Binary|contains:
23 - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
24 - '6d0073006d007100' # msmq
25 condition: all of selection_*
26falsepositives:
27 - Rare false positives could occur since service termination could happen due to multiple reasons
28level: high
References
-
Palo Alto Networks recently completed the acquisition of IBM's QRadar Software as a Service (SaaS) assets. IBM continue to sale QRadar on-premises.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity