Suspicious Windows Service Tampering

Sep 22, 2025 · attack.defense-evasion attack.impact attack.t1489 attack.t1562.001 ·

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Sigma rule (View on GitHub)

  1title: Suspicious Windows Service Tampering
  2id: ce72ef99-22f1-43d4-8695-419dcb5d9330
  3related:
  4    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
  5      type: obsolete
  6    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
  7      type: obsolete
  8    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
  9      type: obsolete
 10status: test
 11description: |
 12        Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
 13references:
 14    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
 15    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
 16    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 17    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
 18    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 19    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
 20author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
 21date: 2022-09-01
 22modified: 2025-08-27
 23tags:
 24    - attack.defense-evasion
 25    - attack.impact
 26    - attack.t1489
 27    - attack.t1562.001
 28logsource:
 29    category: process_creation
 30    product: windows
 31detection:
 32    selection_tools_img:
 33        - OriginalFileName:
 34              - 'net.exe'
 35              - 'net1.exe'
 36              - 'PowerShell_ISE.EXE'
 37              - 'PowerShell.EXE'
 38              - 'psservice.exe'
 39              - 'pwsh.dll'
 40              - 'sc.exe'
 41              - 'wmic.exe'
 42        - Image|endswith:
 43              - '\net.exe'
 44              - '\net1.exe'
 45              - '\PowerShell_ISE.EXE'
 46              - '\powershell.exe'
 47              - '\PsService.exe'
 48              - '\PsService64.exe'
 49              - '\pwsh.exe'
 50              - '\sc.exe'
 51              - '\wmic.exe' # wmic process call win32_service where name='servicename' delete
 52    selection_tools_cli:
 53        - CommandLine|contains:
 54              - ' delete '
 55              - '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
 56              - ' pause ' # Covers flags from: PsService and Sc.EXE
 57              - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
 58              - 'Stop-Service '
 59              - 'Remove-Service '
 60        - CommandLine|contains|all:
 61              - 'config'
 62              - 'start=disabled'
 63    selection_services:
 64        CommandLine|contains:
 65            - '143Svc'
 66            - 'Acronis VSS Provider'
 67            - 'AcronisAgent'
 68            - 'AcrSch2Svc'
 69            - 'AdobeARMservice'
 70            - 'AHS Service'
 71            - 'Antivirus'
 72            - 'Apache4'
 73            - 'ARSM'
 74            - 'aswBcc'
 75            - 'AteraAgent'
 76            - 'Avast Business Console Client Antivirus Service'
 77            - 'avast! Antivirus'
 78            - 'AVG Antivirus'
 79            - 'avgAdminClient'
 80            - 'AvgAdminServer'
 81            - 'AVP1'
 82            - 'BackupExec'
 83            - 'bedbg'
 84            - 'BITS'
 85            - 'BrokerInfrastructure'
 86            - 'CASLicenceServer'
 87            - 'CASWebServer'
 88            - 'Client Agent 7.60'
 89            - 'Core Browsing Protection'
 90            - 'Core Mail Protection'
 91            - 'Core Scanning Server'
 92            - 'DCAgent'
 93            - 'dwmrcs'
 94            - 'EhttpSr'
 95            - 'ekrn'
 96            - 'Enterprise Client Service'
 97            - 'epag'
 98            - 'EPIntegrationService'
 99            - 'EPProtectedService'
100            - 'EPRedline'
101            - 'EPSecurityService'
102            - 'EPUpdateService'
103            - 'EraserSvc11710'
104            - 'EsgShKernel'
105            - 'ESHASRV'
106            - 'FA_Scheduler'
107            - 'FirebirdGuardianDefaultInstance'
108            - 'FirebirdServerDefaultInstance'
109            - 'FontCache3.0.0.0'
110            - 'HealthTLService'
111            - 'hmpalertsvc'
112            - 'HMS'
113            - 'HostControllerService'
114            - 'hvdsvc'
115            - 'IAStorDataMgrSvc'
116            - 'IBMHPS'
117            - 'ibmspsvc'
118            - 'IISAdmin'
119            - 'IMANSVC'
120            - 'IMAP4Svc'
121            - 'instance2'
122            - 'KAVFS'
123            - 'KAVFSGT'
124            - 'kavfsslp'
125            - 'KeyIso'
126            - 'klbackupdisk'
127            - 'klbackupflt'
128            - 'klflt'
129            - 'klhk'
130            - 'KLIF'
131            - 'klim6'
132            - 'klkbdflt'
133            - 'klmouflt'
134            - 'klnagent'
135            - 'klpd'
136            - 'kltap'
137            - 'KSDE1.0.0'
138            - 'LogProcessorService'
139            - 'M8EndpointAgent'
140            - 'macmnsvc'
141            - 'masvc'
142            - 'MBAMService'
143            - 'MBCloudEA'
144            - 'MBEndpointAgent'
145            - 'McAfeeDLPAgentService'
146            - 'McAfeeEngineService'
147            - 'MCAFEEEVENTPARSERSRV'
148            - 'McAfeeFramework'
149            - 'MCAFEETOMCATSRV530'
150            - 'McShield'
151            - 'McTaskManager'
152            - 'mfefire'
153            - 'mfemms'
154            - 'mfevto'
155            - 'mfevtp'
156            - 'mfewc'
157            - 'MMS'
158            - 'mozyprobackup'
159            - 'mpssvc'
160            - 'MSComplianceAudit'
161            - 'MSDTC'
162            - 'MsDtsServer'
163            - 'MSExchange'
164            - 'msftesq1SPROO'
165            - 'msftesql$PROD'
166            - 'msftesql$SQLEXPRESS'
167            - 'MSOLAP$SQL_2008'
168            - 'MSOLAP$SYSTEM_BGC'
169            - 'MSOLAP$TPS'
170            - 'MSOLAP$TPSAMA'
171            - 'MSOLAPSTPS'
172            - 'MSOLAPSTPSAMA'
173            - 'mssecflt'
174            - 'MSSQ!I.SPROFXENGAGEMEHT'
175            - 'MSSQ0SHAREPOINT'
176            - 'MSSQ0SOPHOS'
177            - 'MSSQL'
178            - 'MSSQLFDLauncher$'
179            - 'MySQL'
180            - 'NanoServiceMain'
181            - 'NetMsmqActivator'
182            - 'NetPipeActivator'
183            - 'netprofm'
184            - 'NetTcpActivator'
185            - 'NetTcpPortSharing'
186            - 'ntrtscan'
187            - 'nvspwmi'
188            - 'ofcservice'
189            - 'Online Protection System'
190            - 'OracleClientCache80'
191            - 'OracleDBConsole'
192            - 'OracleMTSRecoveryService'
193            - 'OracleOraDb11g_home1'
194            - 'OracleService'
195            - 'OracleVssWriter'
196            - 'osppsvc'
197            - 'PandaAetherAgent'
198            - 'PccNTUpd'
199            - 'PDVFSService'
200            - 'POP3Svc'
201            - 'postgresql-x64-9.4'
202            - 'POVFSService'
203            - 'PSUAService'
204            - 'Quick Update Service'
205            - 'RepairService'
206            - 'ReportServer'
207            - 'ReportServer$'
208            - 'RESvc'
209            - 'RpcEptMapper'
210            - 'sacsvr'
211            - 'SamSs'
212            - 'SAVAdminService'
213            - 'SAVService'
214            - 'ScSecSvc'
215            - 'SDRSVC'
216            - 'SearchExchangeTracing'
217            - 'sense'
218            - 'SentinelAgent'
219            - 'SentinelHelperService'
220            - 'SepMasterService'
221            - 'ShMonitor'
222            - 'Smcinst'
223            - 'SmcService'
224            - 'SMTPSvc'
225            - 'SNAC'
226            - 'SntpService'
227            - 'Sophos'
228            - 'SQ1SafeOLRService'
229            - 'SQL Backups'
230            - 'SQL Server'
231            - 'SQLAgent'
232            - 'SQLANYs_Sage_FAS_Fixed_Assets'
233            - 'SQLBrowser'
234            - 'SQLsafe'
235            - 'SQLSERVERAGENT'
236            - 'SQLTELEMETRY'
237            - 'SQLWriter'
238            - 'SSISTELEMETRY130'
239            - 'SstpSvc'
240            - 'storflt'
241            - 'svcGenericHost'
242            - 'swc_service'
243            - 'swi_filter'
244            - 'swi_service'
245            - 'swi_update'
246            - 'Symantec'
247            - 'sysmon'
248            - 'TeamViewer'
249            - 'Telemetryserver'
250            - 'ThreatLockerService'
251            - 'TMBMServer'
252            - 'TmCCSF'
253            - 'TmFilter'
254            - 'TMiCRCScanService'
255            - 'tmlisten'
256            - 'TMLWCSService'
257            - 'TmPfw'
258            - 'TmPreFilter'
259            - 'TmProxy'
260            - 'TMSmartRelayService'
261            - 'tmusa'
262            - 'Tomcat'
263            - 'Trend Micro Deep Security Manager'
264            - 'TrueKey'
265            - 'UFNet'
266            - 'UI0Detect'
267            - 'UniFi'
268            - 'UTODetect'
269            - 'vds'
270            - 'Veeam'
271            - 'VeeamDeploySvc'
272            - 'Veritas System Recovery'
273            - 'vmic'
274            - 'VMTools'
275            - 'vmvss'
276            - 'VSApiNt'
277            - 'VSS'
278            - 'W3Svc'
279            - 'wbengine'
280            - 'WdNisSvc'
281            - 'WeanClOudSve'
282            - 'Weems JY'
283            - 'WinDefend'
284            - 'wmms'
285            - 'wozyprobackup'
286            - 'WPFFontCache_v0400'
287            - 'WRSVC'
288            - 'wsbexchange'
289            - 'WSearch'
290            - 'wscsvc'
291            - 'Zoolz 2 Service'
292    condition: all of selection_*
293falsepositives:
294    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
295level: high

References

ÿØÿàJFIF��ÿÛC ÿÛC ÿÀ’"ÿÄ ÿÄµ}!1AQa"q2�‘¡#B±ÁRÑð$3br‚ %&'()*456...

Read More
https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html

Read More
atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

Read More
VirusTotal

VirusTotal

Read More
Delete method of the Win32_Service class (CIMWin32 WMI Providers) - Win32 apps

Delete method of the Win32_Service class (CIMWin32 WMI Providers) - The Delete&\#8194;WMI class method deletes an existing service.

Read More

Suspicious Windows Service Tampering

Sigma rule (View on GitHub)

References

https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html

atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/

VirusTotal

Delete method of the Win32_Service class (CIMWin32 WMI Providers) - Win32 apps

Related rules