Techniques
Sample rules
Suspicious Windows Service Tampering
- source: sigma
- technicques:
- t1489
Description
Detects the usage of binaries such as ’net’, ‘sc’ or ‘powershell’ in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Detection logic
condition: all of selection_*
selection_services:
CommandLine|contains:
- 143Svc
- Acronis VSS Provider
- AcronisAgent
- AcrSch2Svc
- AdobeARMservice
- AHS Service
- Antivirus
- Apache4
- ARSM
- aswBcc
- AteraAgent
- Avast Business Console Client Antivirus Service
- avast! Antivirus
- AVG Antivirus
- avgAdminClient
- AvgAdminServer
- AVP1
- BackupExec
- bedbg
- BITS
- BrokerInfrastructure
- CASLicenceServer
- CASWebServer
- Client Agent 7.60
- Core Browsing Protection
- Core Mail Protection
- Core Scanning Server
- DCAgent
- dwmrcs
- EhttpSr
- ekrn
- Enterprise Client Service
- epag
- EPIntegrationService
- EPProtectedService
- EPRedline
- EPSecurityService
- EPUpdateService
- EraserSvc11710
- EsgShKernel
- ESHASRV
- FA_Scheduler
- FirebirdGuardianDefaultInstance
- FirebirdServerDefaultInstance
- FontCache3.0.0.0
- HealthTLService
- hmpalertsvc
- HMS
- HostControllerService
- hvdsvc
- IAStorDataMgrSvc
- IBMHPS
- ibmspsvc
- IISAdmin
- IMANSVC
- IMAP4Svc
- instance2
- KAVFS
- KAVFSGT
- kavfsslp
- KeyIso
- klbackupdisk
- klbackupflt
- klflt
- klhk
- KLIF
- klim6
- klkbdflt
- klmouflt
- klnagent
- klpd
- kltap
- KSDE1.0.0
- LogProcessorService
- M8EndpointAgent
- macmnsvc
- masvc
- MBAMService
- MBCloudEA
- MBEndpointAgent
- McAfeeDLPAgentService
- McAfeeEngineService
- MCAFEEEVENTPARSERSRV
- McAfeeFramework
- MCAFEETOMCATSRV530
- McShield
- McTaskManager
- mfefire
- mfemms
- mfevto
- mfevtp
- mfewc
- MMS
- mozyprobackup
- MSComplianceAudit
- MSDTC
- MsDtsServer
- MSExchange
- msftesq1SPROO
- msftesql$PROD
- msftesql$SQLEXPRESS
- MSOLAP$SQL_2008
- MSOLAP$SYSTEM_BGC
- MSOLAP$TPS
- MSOLAP$TPSAMA
- MSOLAPSTPS
- MSOLAPSTPSAMA
- mssecflt
- MSSQ!I.SPROFXENGAGEMEHT
- MSSQ0SHAREPOINT
- MSSQ0SOPHOS
- MSSQL
- MSSQLFDLauncher$
- MySQL
- NanoServiceMain
- NetMsmqActivator
- NetPipeActivator
- netprofm
- NetTcpActivator
- NetTcpPortSharing
- ntrtscan
- nvspwmi
- ofcservice
- Online Protection System
- OracleClientCache80
- OracleDBConsole
- OracleMTSRecoveryService
- OracleOraDb11g_home1
- OracleService
- OracleVssWriter
- osppsvc
- PandaAetherAgent
- PccNTUpd
- PDVFSService
- POP3Svc
- postgresql-x64-9.4
- POVFSService
- PSUAService
- Quick Update Service
- RepairService
- ReportServer
- ReportServer$
- RESvc
- RpcEptMapper
- sacsvr
- SamSs
- SAVAdminService
- SAVService
- ScSecSvc
- SDRSVC
- SearchExchangeTracing
- sense
- SentinelAgent
- SentinelHelperService
- SepMasterService
- ShMonitor
- Smcinst
- SmcService
- SMTPSvc
- SNAC
- SntpService
- Sophos
- SQ1SafeOLRService
- SQL Backups
- SQL Server
- SQLAgent
- SQLANYs_Sage_FAS_Fixed_Assets
- SQLBrowser
- SQLsafe
- SQLSERVERAGENT
- SQLTELEMETRY
- SQLWriter
- SSISTELEMETRY130
- SstpSvc
- storflt
- svcGenericHost
- swc_service
- swi_filter
- swi_service
- swi_update
- Symantec
- TeamViewer
- Telemetryserver
- ThreatLockerService
- TMBMServer
- TmCCSF
- TmFilter
- TMiCRCScanService
- tmlisten
- TMLWCSService
- TmPfw
- TmPreFilter
- TmProxy
- TMSmartRelayService
- tmusa
- Tomcat
- Trend Micro Deep Security Manager
- TrueKey
- UFNet
- UI0Detect
- UniFi
- UTODetect
- vds
- Veeam
- VeeamDeploySvc
- Veritas System Recovery
- vmic
- VMTools
- vmvss
- VSApiNt
- VSS
- W3Svc
- wbengine
- WdNisSvc
- WeanClOudSve
- Weems JY
- WinDefend
- wmms
- wozyprobackup
- WPFFontCache_v0400
- WRSVC
- wsbexchange
- WSearch
- Zoolz 2 Service
selection_tools_cli:
- CommandLine|contains:
- ' delete '
- ' pause '
- ' stop '
- 'Stop-Service '
- 'Remove-Service '
- CommandLine|contains|all:
- config
- start=disabled
selection_tools_img:
- OriginalFileName:
- net.exe
- net1.exe
- PowerShell.EXE
- psservice.exe
- pwsh.dll
- sc.exe
- Image|endswith:
- \net.exe
- \net1.exe
- \powershell.exe
- \PsService.exe
- \PsService64.exe
- \pwsh.exe
- \sc.exe