rare false positives could occur since service termination could happen due to multiple reasons

Techniques

Sample rules

Important Windows Service Terminated Unexpectedly

source: sigma
technicques:

Description

Detects important or interesting Windows services that got terminated unexpectedly.

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 7034
  Provider_Name: Service Control Manager
selection_name:
- param1|contains: Message Queuing
- Binary|contains:
  - 4d0053004d005100
  - 6d0073006d007100

Important Windows Service Terminated With Error

source: sigma
technicques:

Description

Detects important or interesting Windows services that got terminated for whatever reason

Detection logic

condition: all of selection_*
selection_eid:
  EventID: 7023
  Provider_Name: Service Control Manager
selection_name:
- param1|contains:
  - ' Antivirus'
  - ' Firewall'
  - Application Guard
  - BitLocker Drive Encryption Service
  - Encrypting File System
  - Microsoft Defender
  - Threat Protection
  - Windows Event Log
- Binary|contains:
  - 770069006e0064006500660065006e006400
  - 4500760065006e0074004c006f006700
  - 6d0070007300730076006300
  - 530065006e0073006500
  - '450046005300'
  - '420044004500530056004300'