Suspicious Windows Service Tampering

  1title: Suspicious Windows Service Tampering
  2id: ce72ef99-22f1-43d4-8695-419dcb5d9330
  3related:
  4    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
  5      type: derived
  6    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
  7      type: obsolete
  8    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
  9      type: obsolete
 10status: test
 11description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
 12references:
 13    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
 14    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
 15    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 16    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
 17    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 18author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 19date: 2022-09-01
 20modified: 2024-08-25
 21tags:
 22    - attack.defense-evasion
 23    - attack.t1489
 24logsource:
 25    category: process_creation
 26    product: windows
 27detection:
 28    selection_tools_img:
 29        - OriginalFileName:
 30              - 'net.exe'
 31              - 'net1.exe'
 32              - 'PowerShell.EXE'
 33              - 'psservice.exe'
 34              - 'pwsh.dll'
 35              - 'sc.exe'
 36        - Image|endswith:
 37              - '\net.exe'
 38              - '\net1.exe'
 39              - '\powershell.exe'
 40              - '\PsService.exe'
 41              - '\PsService64.exe'
 42              - '\pwsh.exe'
 43              - '\sc.exe'
 44    selection_tools_cli:
 45        - CommandLine|contains:
 46              - ' delete '
 47              - ' pause ' # Covers flags from: PsService and Sc.EXE
 48              - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
 49              - 'Stop-Service '
 50              - 'Remove-Service '
 51        - CommandLine|contains|all:
 52              - 'config'
 53              - 'start=disabled'
 54    selection_services:
 55        CommandLine|contains:
 56            - '143Svc'
 57            - 'Acronis VSS Provider'
 58            - 'AcronisAgent'
 59            - 'AcrSch2Svc'
 60            - 'AdobeARMservice'
 61            - 'AHS Service'
 62            - 'Antivirus'
 63            - 'Apache4'
 64            - 'ARSM'
 65            - 'aswBcc'
 66            - 'AteraAgent'
 67            - 'Avast Business Console Client Antivirus Service'
 68            - 'avast! Antivirus'
 69            - 'AVG Antivirus'
 70            - 'avgAdminClient'
 71            - 'AvgAdminServer'
 72            - 'AVP1'
 73            - 'BackupExec'
 74            - 'bedbg'
 75            - 'BITS'
 76            - 'BrokerInfrastructure'
 77            - 'CASLicenceServer'
 78            - 'CASWebServer'
 79            - 'Client Agent 7.60'
 80            - 'Core Browsing Protection'
 81            - 'Core Mail Protection'
 82            - 'Core Scanning Server'
 83            - 'DCAgent'
 84            - 'dwmrcs'
 85            - 'EhttpSr'
 86            - 'ekrn'
 87            - 'Enterprise Client Service'
 88            - 'epag'
 89            - 'EPIntegrationService'
 90            - 'EPProtectedService'
 91            - 'EPRedline'
 92            - 'EPSecurityService'
 93            - 'EPUpdateService'
 94            - 'EraserSvc11710'
 95            - 'EsgShKernel'
 96            - 'ESHASRV'
 97            - 'FA_Scheduler'
 98            - 'FirebirdGuardianDefaultInstance'
 99            - 'FirebirdServerDefaultInstance'
100            - 'FontCache3.0.0.0'
101            - 'HealthTLService'
102            - 'hmpalertsvc'
103            - 'HMS'
104            - 'HostControllerService'
105            - 'hvdsvc'
106            - 'IAStorDataMgrSvc'
107            - 'IBMHPS'
108            - 'ibmspsvc'
109            - 'IISAdmin'
110            - 'IMANSVC'
111            - 'IMAP4Svc'
112            - 'instance2'
113            - 'KAVFS'
114            - 'KAVFSGT'
115            - 'kavfsslp'
116            - 'KeyIso'
117            - 'klbackupdisk'
118            - 'klbackupflt'
119            - 'klflt'
120            - 'klhk'
121            - 'KLIF'
122            - 'klim6'
123            - 'klkbdflt'
124            - 'klmouflt'
125            - 'klnagent'
126            - 'klpd'
127            - 'kltap'
128            - 'KSDE1.0.0'
129            - 'LogProcessorService'
130            - 'M8EndpointAgent'
131            - 'macmnsvc'
132            - 'masvc'
133            - 'MBAMService'
134            - 'MBCloudEA'
135            - 'MBEndpointAgent'
136            - 'McAfeeDLPAgentService'
137            - 'McAfeeEngineService'
138            - 'MCAFEEEVENTPARSERSRV'
139            - 'McAfeeFramework'
140            - 'MCAFEETOMCATSRV530'
141            - 'McShield'
142            - 'McTaskManager'
143            - 'mfefire'
144            - 'mfemms'
145            - 'mfevto'
146            - 'mfevtp'
147            - 'mfewc'
148            - 'MMS'
149            - 'mozyprobackup'
150            - 'MSComplianceAudit'
151            - 'MSDTC'
152            - 'MsDtsServer'
153            - 'MSExchange'
154            - 'msftesq1SPROO'
155            - 'msftesql$PROD'
156            - 'msftesql$SQLEXPRESS'
157            - 'MSOLAP$SQL_2008'
158            - 'MSOLAP$SYSTEM_BGC'
159            - 'MSOLAP$TPS'
160            - 'MSOLAP$TPSAMA'
161            - 'MSOLAPSTPS'
162            - 'MSOLAPSTPSAMA'
163            - 'mssecflt'
164            - 'MSSQ!I.SPROFXENGAGEMEHT'
165            - 'MSSQ0SHAREPOINT'
166            - 'MSSQ0SOPHOS'
167            - 'MSSQL'
168            - 'MSSQLFDLauncher$'
169            - 'MySQL'
170            - 'NanoServiceMain'
171            - 'NetMsmqActivator'
172            - 'NetPipeActivator'
173            - 'netprofm'
174            - 'NetTcpActivator'
175            - 'NetTcpPortSharing'
176            - 'ntrtscan'
177            - 'nvspwmi'
178            - 'ofcservice'
179            - 'Online Protection System'
180            - 'OracleClientCache80'
181            - 'OracleDBConsole'
182            - 'OracleMTSRecoveryService'
183            - 'OracleOraDb11g_home1'
184            - 'OracleService'
185            - 'OracleVssWriter'
186            - 'osppsvc'
187            - 'PandaAetherAgent'
188            - 'PccNTUpd'
189            - 'PDVFSService'
190            - 'POP3Svc'
191            - 'postgresql-x64-9.4'
192            - 'POVFSService'
193            - 'PSUAService'
194            - 'Quick Update Service'
195            - 'RepairService'
196            - 'ReportServer'
197            - 'ReportServer$'
198            - 'RESvc'
199            - 'RpcEptMapper'
200            - 'sacsvr'
201            - 'SamSs'
202            - 'SAVAdminService'
203            - 'SAVService'
204            - 'ScSecSvc'
205            - 'SDRSVC'
206            - 'SearchExchangeTracing'
207            - 'sense'
208            - 'SentinelAgent'
209            - 'SentinelHelperService'
210            - 'SepMasterService'
211            - 'ShMonitor'
212            - 'Smcinst'
213            - 'SmcService'
214            - 'SMTPSvc'
215            - 'SNAC'
216            - 'SntpService'
217            - 'Sophos'
218            - 'SQ1SafeOLRService'
219            - 'SQL Backups'
220            - 'SQL Server'
221            - 'SQLAgent'
222            - 'SQLANYs_Sage_FAS_Fixed_Assets'
223            - 'SQLBrowser'
224            - 'SQLsafe'
225            - 'SQLSERVERAGENT'
226            - 'SQLTELEMETRY'
227            - 'SQLWriter'
228            - 'SSISTELEMETRY130'
229            - 'SstpSvc'
230            - 'storflt'
231            - 'svcGenericHost'
232            - 'swc_service'
233            - 'swi_filter'
234            - 'swi_service'
235            - 'swi_update'
236            - 'Symantec'
237            - 'TeamViewer'
238            - 'Telemetryserver'
239            - 'ThreatLockerService'
240            - 'TMBMServer'
241            - 'TmCCSF'
242            - 'TmFilter'
243            - 'TMiCRCScanService'
244            - 'tmlisten'
245            - 'TMLWCSService'
246            - 'TmPfw'
247            - 'TmPreFilter'
248            - 'TmProxy'
249            - 'TMSmartRelayService'
250            - 'tmusa'
251            - 'Tomcat'
252            - 'Trend Micro Deep Security Manager'
253            - 'TrueKey'
254            - 'UFNet'
255            - 'UI0Detect'
256            - 'UniFi'
257            - 'UTODetect'
258            - 'vds'
259            - 'Veeam'
260            - 'VeeamDeploySvc'
261            - 'Veritas System Recovery'
262            - 'vmic'
263            - 'VMTools'
264            - 'vmvss'
265            - 'VSApiNt'
266            - 'VSS'
267            - 'W3Svc'
268            - 'wbengine'
269            - 'WdNisSvc'
270            - 'WeanClOudSve'
271            - 'Weems JY'
272            - 'WinDefend'
273            - 'wmms'
274            - 'wozyprobackup'
275            - 'WPFFontCache_v0400'
276            - 'WRSVC'
277            - 'wsbexchange'
278            - 'Zoolz 2 Service'
279    condition: all of selection_*
280falsepositives:
281    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
282level: high