Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Sigma rule (View on GitHub)
1title: Suspicious Windows Service Tampering
2id: ce72ef99-22f1-43d4-8695-419dcb5d9330
3related:
4 - id: eb87818d-db5d-49cc-a987-d5da331fbd90
5 type: derived
6 - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
7 type: obsoletes
8 - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
9 type: obsoletes
10status: experimental
11description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
12references:
13 - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
14 - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
15 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
16 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
17 - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
18author: Nasreddine Bencherchali (Nextron Systems), frack113
19date: 2022/09/01
20modified: 2023/08/07
21tags:
22 - attack.defense_evasion
23 - attack.t1489
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_net_img:
29 - OriginalFileName:
30 - 'net.exe'
31 - 'net1.exe'
32 - Image|endswith:
33 - '\net.exe'
34 - '\net1.exe'
35 selection_net_cli:
36 CommandLine|contains: ' stop '
37 selection_sc_img:
38 - OriginalFileName: 'sc.exe'
39 - Image|endswith: '\sc.exe'
40 selection_sc_cli:
41 CommandLine|contains:
42 - ' stop '
43 - ' delete '
44 - ' pause '
45 selection_pwsh_img:
46 - OriginalFileName:
47 - 'PowerShell.EXE'
48 - 'pwsh.dll'
49 - Image|endswith:
50 - '\powershell.exe'
51 - '\pwsh.exe'
52 selection_pwsh_cli:
53 CommandLine|contains:
54 - 'Stop-Service '
55 - 'Remove-Service '
56 selection_services:
57 CommandLine|contains:
58 - '143Svc'
59 - 'Acronis VSS Provider'
60 - 'AcronisAgent'
61 - 'AcrSch2Svc'
62 - 'Antivirus'
63 - 'ARSM'
64 - 'aswBcc'
65 - 'Avast Business Console Client Antivirus Service'
66 - 'avast! Antivirus'
67 - 'AVG Antivirus'
68 - 'avgAdminClient'
69 - 'AvgAdminServer'
70 - 'AVP1' # Covers multiple AVP versions
71 - 'BackupExec'
72 - 'bedbg'
73 - 'BITS'
74 - 'BrokerInfrastructure'
75 - 'Client Agent 7.60'
76 - 'Core Browsing Protection'
77 - 'Core Mail Protection'
78 - 'Core Scanning Server' # Covers 'Core Scanning ServerEx'
79 - 'DCAgent'
80 - 'EhttpSr' # Covers 'EhttpSry', 'EhttpSrv'
81 - 'ekrn' # Covers 'ekrnEpsw'
82 - 'Enterprise Client Service'
83 - 'epag'
84 - 'EPIntegrationService'
85 - 'EPProtectedService'
86 - 'EPRedline'
87 - 'EPSecurityService'
88 - 'EPUpdateService'
89 - 'EraserSvc11710'
90 - 'EsgShKernel'
91 - 'ESHASRV'
92 - 'FA_Scheduler'
93 - 'FirebirdGuardianDefaultInstance'
94 - 'FirebirdServerDefaultInstance'
95 - 'HealthTLService'
96 - 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc.
97 - 'hmpalertsvc'
98 - 'HMS'
99 - 'IISAdmin'
100 - 'IMANSVC'
101 - 'IMAP4Svc'
102 - 'KAVFS'
103 - 'KAVFSGT'
104 - 'kavfsslp'
105 - 'klbackupdisk'
106 - 'klbackupflt'
107 - 'klflt'
108 - 'klhk'
109 - 'KLIF'
110 - 'klim6'
111 - 'klkbdflt'
112 - 'klmouflt'
113 - 'klnagent'
114 - 'klpd'
115 - 'kltap'
116 - 'KSDE1.0.0'
117 - 'LogProcessorService'
118 - 'M8EndpointAgent'
119 - 'macmnsvc'
120 - 'masvc'
121 - 'MBAMService'
122 - 'MBCloudEA'
123 - 'MBEndpointAgent'
124 - 'McAfeeDLPAgentService'
125 - 'McAfeeEngineService'
126 - 'MCAFEEEVENTPARSERSRV'
127 - 'McAfeeFramework'
128 - 'MCAFEETOMCATSRV530'
129 - 'McShield'
130 - 'McTaskManager'
131 - 'mfefire'
132 - 'mfemms'
133 - 'mfevto'
134 - 'mfevtp'
135 - 'mfewc'
136 - 'MMS'
137 - 'mozyprobackup'
138 - 'MsDtsServer'
139 - 'MSExchange'
140 - 'msftesq1SPROO'
141 - 'msftesql$PROD'
142 - 'MSOLAP$SQL_2008'
143 - 'MSOLAP$SYSTEM_BGC'
144 - 'MSOLAP$TPS'
145 - 'MSOLAP$TPSAMA'
146 - 'MSOLAPSTPS'
147 - 'MSOLAPSTPSAMA'
148 - 'mssecflt'
149 - 'MSSQ!I.SPROFXENGAGEMEHT'
150 - 'MSSQ0SHAREPOINT'
151 - 'MSSQ0SOPHOS'
152 - 'MSSQL'
153 - 'MySQL'
154 - 'NanoServiceMain'
155 - 'NetMsmqActivator'
156 - 'ntrtscan'
157 - 'ofcservice'
158 - 'Online Protection System'
159 - 'OracleClientCache80'
160 - 'PandaAetherAgent'
161 - 'PccNTUpd'
162 - 'PDVFSService'
163 - 'POP3Svc'
164 - 'POVFSService'
165 - 'PSUAService'
166 - 'Quick Update Service'
167 - 'RepairService'
168 - 'ReportServer'
169 - 'ReportServer$'
170 - 'RESvc'
171 - 'RpcEptMapper'
172 - 'sacsvr'
173 - 'SamSs'
174 - 'SAVAdminService'
175 - 'SAVService'
176 - 'ScSecSvc'
177 - 'SDRSVC'
178 - 'sense'
179 - 'SentinelAgent'
180 - 'SentinelHelperService'
181 - 'SepMasterService'
182 - 'ShMonitor'
183 - 'Smcinst'
184 - 'SmcService'
185 - 'SMTPSvc'
186 - 'SNAC'
187 - 'SntpService'
188 - 'Sophos'
189 - 'SQ1SafeOLRService'
190 - 'SQL Backups'
191 - 'SQL Server'
192 - 'SQLAgent'
193 - 'SQLBrowser'
194 - 'SQLsafe'
195 - 'SQLSERVERAGENT'
196 - 'SQLTELEMETRY'
197 - 'SQLWriter'
198 - 'SSISTELEMETRY130'
199 - 'SstpSvc'
200 - 'svcGenericHost'
201 - 'swc_service'
202 - 'swi_filter'
203 - 'swi_service'
204 - 'swi_update'
205 - 'Symantec'
206 - 'Telemetryserver'
207 - 'ThreatLockerService'
208 - 'TMBMServer'
209 - 'TmCCSF'
210 - 'TmFilter'
211 - 'TMiCRCScanService'
212 - 'tmlisten'
213 - 'TMLWCSService'
214 - 'TmPfw'
215 - 'TmPreFilter'
216 - 'TmProxy'
217 - 'TMSmartRelayService'
218 - 'tmusa'
219 - 'Trend Micro Deep Security Manager'
220 - 'TrueKey'
221 - 'UI0Detect'
222 - 'UTODetect'
223 - 'Veeam'
224 - 'VeeamDeploySvc'
225 - 'Veritas System Recovery'
226 - 'VSApiNt'
227 - 'VSS'
228 - 'W3Svc'
229 - 'wbengine'
230 - 'WdNisSvc'
231 - 'WeanClOudSve'
232 - 'Weems JY'
233 - 'WinDefend'
234 - 'wozyprobackup'
235 - 'WRSVC'
236 - 'Zoolz 2 Service'
237 condition: selection_services and (all of selection_net_* or all of selection_pwsh_* or all of selection_sc_*)
238falsepositives:
239 - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
240level: high
References
Related rules
- Azure Application Deleted
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Creation Of a Suspicious ADS File Outside a Browser Download