Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Sigma rule (View on GitHub)
1title: Suspicious Windows Service Tampering
2id: ce72ef99-22f1-43d4-8695-419dcb5d9330
3related:
4 - id: eb87818d-db5d-49cc-a987-d5da331fbd90
5 type: obsolete
6 - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
7 type: obsolete
8 - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
9 type: obsolete
10status: test
11description: |
12 Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
13references:
14 - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
15 - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
16 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
17 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
18 - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
19 - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
20author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
21date: 2022-09-01
22modified: 2025-08-27
23tags:
24 - attack.defense-evasion
25 - attack.impact
26 - attack.t1489
27 - attack.t1562.001
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection_tools_img:
33 - OriginalFileName:
34 - 'net.exe'
35 - 'net1.exe'
36 - 'PowerShell_ISE.EXE'
37 - 'PowerShell.EXE'
38 - 'psservice.exe'
39 - 'pwsh.dll'
40 - 'sc.exe'
41 - 'wmic.exe'
42 - Image|endswith:
43 - '\net.exe'
44 - '\net1.exe'
45 - '\PowerShell_ISE.EXE'
46 - '\powershell.exe'
47 - '\PsService.exe'
48 - '\PsService64.exe'
49 - '\pwsh.exe'
50 - '\sc.exe'
51 - '\wmic.exe' # wmic process call win32_service where name='servicename' delete
52 selection_tools_cli:
53 - CommandLine|contains:
54 - ' delete '
55 - '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
56 - ' pause ' # Covers flags from: PsService and Sc.EXE
57 - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
58 - 'Stop-Service '
59 - 'Remove-Service '
60 - CommandLine|contains|all:
61 - 'config'
62 - 'start=disabled'
63 selection_services:
64 CommandLine|contains:
65 - '143Svc'
66 - 'Acronis VSS Provider'
67 - 'AcronisAgent'
68 - 'AcrSch2Svc'
69 - 'AdobeARMservice'
70 - 'AHS Service'
71 - 'Antivirus'
72 - 'Apache4'
73 - 'ARSM'
74 - 'aswBcc'
75 - 'AteraAgent'
76 - 'Avast Business Console Client Antivirus Service'
77 - 'avast! Antivirus'
78 - 'AVG Antivirus'
79 - 'avgAdminClient'
80 - 'AvgAdminServer'
81 - 'AVP1'
82 - 'BackupExec'
83 - 'bedbg'
84 - 'BITS'
85 - 'BrokerInfrastructure'
86 - 'CASLicenceServer'
87 - 'CASWebServer'
88 - 'Client Agent 7.60'
89 - 'Core Browsing Protection'
90 - 'Core Mail Protection'
91 - 'Core Scanning Server'
92 - 'DCAgent'
93 - 'dwmrcs'
94 - 'EhttpSr'
95 - 'ekrn'
96 - 'Enterprise Client Service'
97 - 'epag'
98 - 'EPIntegrationService'
99 - 'EPProtectedService'
100 - 'EPRedline'
101 - 'EPSecurityService'
102 - 'EPUpdateService'
103 - 'EraserSvc11710'
104 - 'EsgShKernel'
105 - 'ESHASRV'
106 - 'FA_Scheduler'
107 - 'FirebirdGuardianDefaultInstance'
108 - 'FirebirdServerDefaultInstance'
109 - 'FontCache3.0.0.0'
110 - 'HealthTLService'
111 - 'hmpalertsvc'
112 - 'HMS'
113 - 'HostControllerService'
114 - 'hvdsvc'
115 - 'IAStorDataMgrSvc'
116 - 'IBMHPS'
117 - 'ibmspsvc'
118 - 'IISAdmin'
119 - 'IMANSVC'
120 - 'IMAP4Svc'
121 - 'instance2'
122 - 'KAVFS'
123 - 'KAVFSGT'
124 - 'kavfsslp'
125 - 'KeyIso'
126 - 'klbackupdisk'
127 - 'klbackupflt'
128 - 'klflt'
129 - 'klhk'
130 - 'KLIF'
131 - 'klim6'
132 - 'klkbdflt'
133 - 'klmouflt'
134 - 'klnagent'
135 - 'klpd'
136 - 'kltap'
137 - 'KSDE1.0.0'
138 - 'LogProcessorService'
139 - 'M8EndpointAgent'
140 - 'macmnsvc'
141 - 'masvc'
142 - 'MBAMService'
143 - 'MBCloudEA'
144 - 'MBEndpointAgent'
145 - 'McAfeeDLPAgentService'
146 - 'McAfeeEngineService'
147 - 'MCAFEEEVENTPARSERSRV'
148 - 'McAfeeFramework'
149 - 'MCAFEETOMCATSRV530'
150 - 'McShield'
151 - 'McTaskManager'
152 - 'mfefire'
153 - 'mfemms'
154 - 'mfevto'
155 - 'mfevtp'
156 - 'mfewc'
157 - 'MMS'
158 - 'mozyprobackup'
159 - 'mpssvc'
160 - 'MSComplianceAudit'
161 - 'MSDTC'
162 - 'MsDtsServer'
163 - 'MSExchange'
164 - 'msftesq1SPROO'
165 - 'msftesql$PROD'
166 - 'msftesql$SQLEXPRESS'
167 - 'MSOLAP$SQL_2008'
168 - 'MSOLAP$SYSTEM_BGC'
169 - 'MSOLAP$TPS'
170 - 'MSOLAP$TPSAMA'
171 - 'MSOLAPSTPS'
172 - 'MSOLAPSTPSAMA'
173 - 'mssecflt'
174 - 'MSSQ!I.SPROFXENGAGEMEHT'
175 - 'MSSQ0SHAREPOINT'
176 - 'MSSQ0SOPHOS'
177 - 'MSSQL'
178 - 'MSSQLFDLauncher$'
179 - 'MySQL'
180 - 'NanoServiceMain'
181 - 'NetMsmqActivator'
182 - 'NetPipeActivator'
183 - 'netprofm'
184 - 'NetTcpActivator'
185 - 'NetTcpPortSharing'
186 - 'ntrtscan'
187 - 'nvspwmi'
188 - 'ofcservice'
189 - 'Online Protection System'
190 - 'OracleClientCache80'
191 - 'OracleDBConsole'
192 - 'OracleMTSRecoveryService'
193 - 'OracleOraDb11g_home1'
194 - 'OracleService'
195 - 'OracleVssWriter'
196 - 'osppsvc'
197 - 'PandaAetherAgent'
198 - 'PccNTUpd'
199 - 'PDVFSService'
200 - 'POP3Svc'
201 - 'postgresql-x64-9.4'
202 - 'POVFSService'
203 - 'PSUAService'
204 - 'Quick Update Service'
205 - 'RepairService'
206 - 'ReportServer'
207 - 'ReportServer$'
208 - 'RESvc'
209 - 'RpcEptMapper'
210 - 'sacsvr'
211 - 'SamSs'
212 - 'SAVAdminService'
213 - 'SAVService'
214 - 'ScSecSvc'
215 - 'SDRSVC'
216 - 'SearchExchangeTracing'
217 - 'sense'
218 - 'SentinelAgent'
219 - 'SentinelHelperService'
220 - 'SepMasterService'
221 - 'ShMonitor'
222 - 'Smcinst'
223 - 'SmcService'
224 - 'SMTPSvc'
225 - 'SNAC'
226 - 'SntpService'
227 - 'Sophos'
228 - 'SQ1SafeOLRService'
229 - 'SQL Backups'
230 - 'SQL Server'
231 - 'SQLAgent'
232 - 'SQLANYs_Sage_FAS_Fixed_Assets'
233 - 'SQLBrowser'
234 - 'SQLsafe'
235 - 'SQLSERVERAGENT'
236 - 'SQLTELEMETRY'
237 - 'SQLWriter'
238 - 'SSISTELEMETRY130'
239 - 'SstpSvc'
240 - 'storflt'
241 - 'svcGenericHost'
242 - 'swc_service'
243 - 'swi_filter'
244 - 'swi_service'
245 - 'swi_update'
246 - 'Symantec'
247 - 'sysmon'
248 - 'TeamViewer'
249 - 'Telemetryserver'
250 - 'ThreatLockerService'
251 - 'TMBMServer'
252 - 'TmCCSF'
253 - 'TmFilter'
254 - 'TMiCRCScanService'
255 - 'tmlisten'
256 - 'TMLWCSService'
257 - 'TmPfw'
258 - 'TmPreFilter'
259 - 'TmProxy'
260 - 'TMSmartRelayService'
261 - 'tmusa'
262 - 'Tomcat'
263 - 'Trend Micro Deep Security Manager'
264 - 'TrueKey'
265 - 'UFNet'
266 - 'UI0Detect'
267 - 'UniFi'
268 - 'UTODetect'
269 - 'vds'
270 - 'Veeam'
271 - 'VeeamDeploySvc'
272 - 'Veritas System Recovery'
273 - 'vmic'
274 - 'VMTools'
275 - 'vmvss'
276 - 'VSApiNt'
277 - 'VSS'
278 - 'W3Svc'
279 - 'wbengine'
280 - 'WdNisSvc'
281 - 'WeanClOudSve'
282 - 'Weems JY'
283 - 'WinDefend'
284 - 'wmms'
285 - 'wozyprobackup'
286 - 'WPFFontCache_v0400'
287 - 'WRSVC'
288 - 'wsbexchange'
289 - 'WSearch'
290 - 'wscsvc'
291 - 'Zoolz 2 Service'
292 condition: all of selection_*
293falsepositives:
294 - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
295level: high
References
Related rules
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process
- IISReset Used to Stop IIS Services
- Azure Application Deleted
- Sysmon Configuration Update