Techniques
Sample rules
Suspicious Windows Service Tampering
- source: sigma
- technicques:
- t1489
Description
Detects the usage of binaries such as ’net’, ‘sc’ or ‘powershell’ in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Detection logic
condition: selection_services and (all of selection_net_* or all of selection_pwsh_*
or all of selection_sc_*)
selection_net_cli:
CommandLine|contains: ' stop '
selection_net_img:
- OriginalFileName:
- net.exe
- net1.exe
- Image|endswith:
- \net.exe
- \net1.exe
selection_pwsh_cli:
CommandLine|contains:
- 'Stop-Service '
- 'Remove-Service '
selection_pwsh_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_sc_cli:
CommandLine|contains:
- ' stop '
- ' delete '
- ' pause '
selection_sc_img:
- OriginalFileName: sc.exe
- Image|endswith: \sc.exe
selection_services:
CommandLine|contains:
- 143Svc
- Acronis VSS Provider
- AcronisAgent
- AcrSch2Svc
- Antivirus
- ARSM
- aswBcc
- Avast Business Console Client Antivirus Service
- avast! Antivirus
- AVG Antivirus
- avgAdminClient
- AvgAdminServer
- AVP1
- BackupExec
- bedbg
- BITS
- BrokerInfrastructure
- Client Agent 7.60
- Core Browsing Protection
- Core Mail Protection
- Core Scanning Server
- DCAgent
- EhttpSr
- ekrn
- Enterprise Client Service
- epag
- EPIntegrationService
- EPProtectedService
- EPRedline
- EPSecurityService
- EPUpdateService
- EraserSvc11710
- EsgShKernel
- ESHASRV
- FA_Scheduler
- FirebirdGuardianDefaultInstance
- FirebirdServerDefaultInstance
- HealthTLService
- MSSQLFDLauncher$
- hmpalertsvc
- HMS
- IISAdmin
- IMANSVC
- IMAP4Svc
- KAVFS
- KAVFSGT
- kavfsslp
- klbackupdisk
- klbackupflt
- klflt
- klhk
- KLIF
- klim6
- klkbdflt
- klmouflt
- klnagent
- klpd
- kltap
- KSDE1.0.0
- LogProcessorService
- M8EndpointAgent
- macmnsvc
- masvc
- MBAMService
- MBCloudEA
- MBEndpointAgent
- McAfeeDLPAgentService
- McAfeeEngineService
- MCAFEEEVENTPARSERSRV
- McAfeeFramework
- MCAFEETOMCATSRV530
- McShield
- McTaskManager
- mfefire
- mfemms
- mfevto
- mfevtp
- mfewc
- MMS
- mozyprobackup
- MsDtsServer
- MSExchange
- msftesq1SPROO
- msftesql$PROD
- MSOLAP$SQL_2008
- MSOLAP$SYSTEM_BGC
- MSOLAP$TPS
- MSOLAP$TPSAMA
- MSOLAPSTPS
- MSOLAPSTPSAMA
- mssecflt
- MSSQ!I.SPROFXENGAGEMEHT
- MSSQ0SHAREPOINT
- MSSQ0SOPHOS
- MSSQL
- MySQL
- NanoServiceMain
- NetMsmqActivator
- ntrtscan
- ofcservice
- Online Protection System
- OracleClientCache80
- PandaAetherAgent
- PccNTUpd
- PDVFSService
- POP3Svc
- POVFSService
- PSUAService
- Quick Update Service
- RepairService
- ReportServer
- ReportServer$
- RESvc
- RpcEptMapper
- sacsvr
- SamSs
- SAVAdminService
- SAVService
- ScSecSvc
- SDRSVC
- sense
- SentinelAgent
- SentinelHelperService
- SepMasterService
- ShMonitor
- Smcinst
- SmcService
- SMTPSvc
- SNAC
- SntpService
- Sophos
- SQ1SafeOLRService
- SQL Backups
- SQL Server
- SQLAgent
- SQLBrowser
- SQLsafe
- SQLSERVERAGENT
- SQLTELEMETRY
- SQLWriter
- SSISTELEMETRY130
- SstpSvc
- svcGenericHost
- swc_service
- swi_filter
- swi_service
- swi_update
- Symantec
- Telemetryserver
- ThreatLockerService
- TMBMServer
- TmCCSF
- TmFilter
- TMiCRCScanService
- tmlisten
- TMLWCSService
- TmPfw
- TmPreFilter
- TmProxy
- TMSmartRelayService
- tmusa
- Trend Micro Deep Security Manager
- TrueKey
- UI0Detect
- UTODetect
- Veeam
- VeeamDeploySvc
- Veritas System Recovery
- VSApiNt
- VSS
- W3Svc
- wbengine
- WdNisSvc
- WeanClOudSve
- Weems JY
- WinDefend
- wozyprobackup
- WRSVC
- Zoolz 2 Service