Suspicious Windows Service Tampering

Oct 18, 2023 · attack.defense_evasion attack.t1489 ·

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Sigma rule (View on GitHub)

  1title: Suspicious Windows Service Tampering
  2id: ce72ef99-22f1-43d4-8695-419dcb5d9330
  3related:
  4    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
  5      type: derived
  6    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
  7      type: obsoletes
  8    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
  9      type: obsoletes
 10status: experimental
 11description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
 12references:
 13    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
 14    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
 15    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 16    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
 17    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 18author: Nasreddine Bencherchali (Nextron Systems), frack113
 19date: 2022/09/01
 20modified: 2023/08/07
 21tags:
 22    - attack.defense_evasion
 23    - attack.t1489
 24logsource:
 25    category: process_creation
 26    product: windows
 27detection:
 28    selection_net_img:
 29        - OriginalFileName:
 30              - 'net.exe'
 31              - 'net1.exe'
 32        - Image|endswith:
 33              - '\net.exe'
 34              - '\net1.exe'
 35    selection_net_cli:
 36        CommandLine|contains: ' stop '
 37    selection_sc_img:
 38        - OriginalFileName: 'sc.exe'
 39        - Image|endswith: '\sc.exe'
 40    selection_sc_cli:
 41        CommandLine|contains:
 42            - ' stop '
 43            - ' delete '
 44            - ' pause '
 45    selection_pwsh_img:
 46        - OriginalFileName:
 47              - 'PowerShell.EXE'
 48              - 'pwsh.dll'
 49        - Image|endswith:
 50              - '\powershell.exe'
 51              - '\pwsh.exe'
 52    selection_pwsh_cli:
 53        CommandLine|contains:
 54            - 'Stop-Service '
 55            - 'Remove-Service '
 56    selection_services:
 57        CommandLine|contains:
 58            - '143Svc'
 59            - 'Acronis VSS Provider'
 60            - 'AcronisAgent'
 61            - 'AcrSch2Svc'
 62            - 'Antivirus'
 63            - 'ARSM'
 64            - 'aswBcc'
 65            - 'Avast Business Console Client Antivirus Service'
 66            - 'avast! Antivirus'
 67            - 'AVG Antivirus'
 68            - 'avgAdminClient'
 69            - 'AvgAdminServer'
 70            - 'AVP1' # Covers multiple AVP versions
 71            - 'BackupExec'
 72            - 'bedbg'
 73            - 'BITS'
 74            - 'BrokerInfrastructure'
 75            - 'Client Agent 7.60'
 76            - 'Core Browsing Protection'
 77            - 'Core Mail Protection'
 78            - 'Core Scanning Server' # Covers 'Core Scanning ServerEx'
 79            - 'DCAgent'
 80            - 'EhttpSr' # Covers 'EhttpSry', 'EhttpSrv'
 81            - 'ekrn' # Covers 'ekrnEpsw'
 82            - 'Enterprise Client Service'
 83            - 'epag'
 84            - 'EPIntegrationService'
 85            - 'EPProtectedService'
 86            - 'EPRedline'
 87            - 'EPSecurityService'
 88            - 'EPUpdateService'
 89            - 'EraserSvc11710'
 90            - 'EsgShKernel'
 91            - 'ESHASRV'
 92            - 'FA_Scheduler'
 93            - 'FirebirdGuardianDefaultInstance'
 94            - 'FirebirdServerDefaultInstance'
 95            - 'HealthTLService'
 96            - 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc.
 97            - 'hmpalertsvc'
 98            - 'HMS'
 99            - 'IISAdmin'
100            - 'IMANSVC'
101            - 'IMAP4Svc'
102            - 'KAVFS'
103            - 'KAVFSGT'
104            - 'kavfsslp'
105            - 'klbackupdisk'
106            - 'klbackupflt'
107            - 'klflt'
108            - 'klhk'
109            - 'KLIF'
110            - 'klim6'
111            - 'klkbdflt'
112            - 'klmouflt'
113            - 'klnagent'
114            - 'klpd'
115            - 'kltap'
116            - 'KSDE1.0.0'
117            - 'LogProcessorService'
118            - 'M8EndpointAgent'
119            - 'macmnsvc'
120            - 'masvc'
121            - 'MBAMService'
122            - 'MBCloudEA'
123            - 'MBEndpointAgent'
124            - 'McAfeeDLPAgentService'
125            - 'McAfeeEngineService'
126            - 'MCAFEEEVENTPARSERSRV'
127            - 'McAfeeFramework'
128            - 'MCAFEETOMCATSRV530'
129            - 'McShield'
130            - 'McTaskManager'
131            - 'mfefire'
132            - 'mfemms'
133            - 'mfevto'
134            - 'mfevtp'
135            - 'mfewc'
136            - 'MMS'
137            - 'mozyprobackup'
138            - 'MsDtsServer'
139            - 'MSExchange'
140            - 'msftesq1SPROO'
141            - 'msftesql$PROD'
142            - 'MSOLAP$SQL_2008'
143            - 'MSOLAP$SYSTEM_BGC'
144            - 'MSOLAP$TPS'
145            - 'MSOLAP$TPSAMA'
146            - 'MSOLAPSTPS'
147            - 'MSOLAPSTPSAMA'
148            - 'mssecflt'
149            - 'MSSQ!I.SPROFXENGAGEMEHT'
150            - 'MSSQ0SHAREPOINT'
151            - 'MSSQ0SOPHOS'
152            - 'MSSQL'
153            - 'MySQL'
154            - 'NanoServiceMain'
155            - 'NetMsmqActivator'
156            - 'ntrtscan'
157            - 'ofcservice'
158            - 'Online Protection System'
159            - 'OracleClientCache80'
160            - 'PandaAetherAgent'
161            - 'PccNTUpd'
162            - 'PDVFSService'
163            - 'POP3Svc'
164            - 'POVFSService'
165            - 'PSUAService'
166            - 'Quick Update Service'
167            - 'RepairService'
168            - 'ReportServer'
169            - 'ReportServer$'
170            - 'RESvc'
171            - 'RpcEptMapper'
172            - 'sacsvr'
173            - 'SamSs'
174            - 'SAVAdminService'
175            - 'SAVService'
176            - 'ScSecSvc'
177            - 'SDRSVC'
178            - 'sense'
179            - 'SentinelAgent'
180            - 'SentinelHelperService'
181            - 'SepMasterService'
182            - 'ShMonitor'
183            - 'Smcinst'
184            - 'SmcService'
185            - 'SMTPSvc'
186            - 'SNAC'
187            - 'SntpService'
188            - 'Sophos'
189            - 'SQ1SafeOLRService'
190            - 'SQL Backups'
191            - 'SQL Server'
192            - 'SQLAgent'
193            - 'SQLBrowser'
194            - 'SQLsafe'
195            - 'SQLSERVERAGENT'
196            - 'SQLTELEMETRY'
197            - 'SQLWriter'
198            - 'SSISTELEMETRY130'
199            - 'SstpSvc'
200            - 'svcGenericHost'
201            - 'swc_service'
202            - 'swi_filter'
203            - 'swi_service'
204            - 'swi_update'
205            - 'Symantec'
206            - 'Telemetryserver'
207            - 'ThreatLockerService'
208            - 'TMBMServer'
209            - 'TmCCSF'
210            - 'TmFilter'
211            - 'TMiCRCScanService'
212            - 'tmlisten'
213            - 'TMLWCSService'
214            - 'TmPfw'
215            - 'TmPreFilter'
216            - 'TmProxy'
217            - 'TMSmartRelayService'
218            - 'tmusa'
219            - 'Trend Micro Deep Security Manager'
220            - 'TrueKey'
221            - 'UI0Detect'
222            - 'UTODetect'
223            - 'Veeam'
224            - 'VeeamDeploySvc'
225            - 'Veritas System Recovery'
226            - 'VSApiNt'
227            - 'VSS'
228            - 'W3Svc'
229            - 'wbengine'
230            - 'WdNisSvc'
231            - 'WeanClOudSve'
232            - 'Weems JY'
233            - 'WinDefend'
234            - 'wozyprobackup'
235            - 'WRSVC'
236            - 'Zoolz 2 Service'
237    condition: selection_services and (all of selection_net_* or all of selection_pwsh_* or all of selection_sc_*)
238falsepositives:
239    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
240level: high

References

ÿØÿàJFIF��ÿÛC ÿÛC ÿÀ’"ÿÄ ÿÄµ}!1AQa"q2�‘¡#B±ÁRÑð$3br‚ %&'()*456...

Read More
Read More
atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.

Read More
VirusTotal

VirusTotal

Read More

Suspicious Windows Service Tampering

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

VirusTotal

Related rules