Techniques
Sample rules
Known Services Killed by Ransomware
- source: splunk
- technicques:
- T1490
Description
This search detects a suspicioous termination of known services killed by ransomware before encrypting files in a compromised machine. This technique is commonly seen in most of ransomware now a days to avoid exception error while accessing the targetted files it wants to encrypts because of the open handle of those services to the targetted file.
Detection logic
`wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*","*VSS*", "*backup*", "*sophos*", "*sql*", "*memtas*", "*mepocs*", "*veeam*", "*svc$*", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService" "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExec*", "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "wscsvc", "Sense", "sppsvc", "SecurityHealthService") param2="stopped"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode param1 dest
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `known_services_killed_by_ransomware_filter`