detection.wiki

Detection rules › Sigma

Suspicious Windows Service Tampering

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
Source
upstream

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools
ImpactT1489 Service Stop

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_tools_img

or:
Image|endswith: '\PowerShell_ISE.EXE'
Image|endswith: '\PsService.exe'
Image|endswith: '\PsService64.exe'
Image|endswith: '\net.exe'
Image|endswith: '\net1.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\sc.exe'
Image|endswith: '\wmic.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: PowerShell_ISE.EXE
OriginalFileName: net.exe
OriginalFileName: net1.exe
OriginalFileName: psservice.exe
OriginalFileName: pwsh.dll
OriginalFileName: sc.exe
OriginalFileName: wmic.exe

Stage 2: all of selection_tools_cli

or:
CommandLine|contains: config
CommandLine|contains: 'start=disabled'
CommandLine|contains: ' delete '
CommandLine|contains: ' pause '
CommandLine|contains: ' stop '
CommandLine|contains: '.delete()'
CommandLine|contains: 'Remove-Service '
CommandLine|contains: 'Stop-Service '

Stage 3: all of selection_services

or:
CommandLine|contains: 143Svc
CommandLine|contains: 'AHS Service'
CommandLine|contains: ARSM
CommandLine|contains: 'AVG Antivirus'
CommandLine|contains: AVP1
CommandLine|contains: AcrSch2Svc
CommandLine|contains: 'Acronis VSS Provider'
CommandLine|contains: AcronisAgent
CommandLine|contains: AdobeARMservice
CommandLine|contains: Antivirus
CommandLine|contains: Apache4
CommandLine|contains: AteraAgent
CommandLine|contains: 'Avast Business Console Client Antivirus Service'
CommandLine|contains: AvgAdminServer
CommandLine|contains: BITS
CommandLine|contains: BackupExec
CommandLine|contains: BrokerInfrastructure
CommandLine|contains: CASLicenceServer
CommandLine|contains: CASWebServer
CommandLine|contains: 'Client Agent 7.60'
CommandLine|contains: 'Core Browsing Protection'
CommandLine|contains: 'Core Mail Protection'
CommandLine|contains: 'Core Scanning Server'
CommandLine|contains: DCAgent
CommandLine|contains: EPIntegrationService
CommandLine|contains: EPProtectedService
CommandLine|contains: EPRedline
CommandLine|contains: EPSecurityService
CommandLine|contains: EPUpdateService
CommandLine|contains: ESHASRV
CommandLine|contains: EhttpSr
CommandLine|contains: 'Enterprise Client Service'
CommandLine|contains: EraserSvc11710
CommandLine|contains: EsgShKernel
CommandLine|contains: FA_Scheduler
CommandLine|contains: FirebirdGuardianDefaultInstance
CommandLine|contains: FirebirdServerDefaultInstance
CommandLine|contains: FontCache3.0.0.0
CommandLine|contains: HMS
CommandLine|contains: HealthTLService
CommandLine|contains: HostControllerService
CommandLine|contains: IAStorDataMgrSvc
CommandLine|contains: IBMHPS
CommandLine|contains: IISAdmin
CommandLine|contains: IMANSVC
CommandLine|contains: IMAP4Svc
CommandLine|contains: KAVFS
CommandLine|contains: KAVFSGT
CommandLine|contains: KLIF
CommandLine|contains: KSDE1.0.0
CommandLine|contains: KeyIso
CommandLine|contains: LogProcessorService
CommandLine|contains: M8EndpointAgent
CommandLine|contains: MBAMService
CommandLine|contains: MBCloudEA
CommandLine|contains: MBEndpointAgent
CommandLine|contains: MCAFEEEVENTPARSERSRV
CommandLine|contains: MCAFEETOMCATSRV530
CommandLine|contains: MMS
CommandLine|contains: MSComplianceAudit
CommandLine|contains: MSDTC
CommandLine|contains: MSExchange
CommandLine|contains: 'MSOLAP$SQL_2008'
CommandLine|contains: 'MSOLAP$SYSTEM_BGC'
CommandLine|contains: 'MSOLAP$TPS'
CommandLine|contains: 'MSOLAP$TPSAMA'
CommandLine|contains: MSOLAPSTPS
CommandLine|contains: MSOLAPSTPSAMA
CommandLine|contains: 'MSSQ!I.SPROFXENGAGEMEHT'
CommandLine|contains: MSSQ0SHAREPOINT
CommandLine|contains: MSSQ0SOPHOS
CommandLine|contains: MSSQL
CommandLine|contains: 'MSSQLFDLauncher$'
CommandLine|contains: McAfeeDLPAgentService
CommandLine|contains: McAfeeEngineService
CommandLine|contains: McAfeeFramework
CommandLine|contains: McShield
CommandLine|contains: McTaskManager
CommandLine|contains: MsDtsServer
CommandLine|contains: MySQL
CommandLine|contains: NanoServiceMain
CommandLine|contains: NetMsmqActivator
CommandLine|contains: NetPipeActivator
CommandLine|contains: NetTcpActivator
CommandLine|contains: NetTcpPortSharing
CommandLine|contains: 'Online Protection System'
CommandLine|contains: OracleClientCache80
CommandLine|contains: OracleDBConsole
CommandLine|contains: OracleMTSRecoveryService
CommandLine|contains: OracleOraDb11g_home1
CommandLine|contains: OracleService
CommandLine|contains: OracleVssWriter
CommandLine|contains: PDVFSService
CommandLine|contains: POP3Svc
CommandLine|contains: POVFSService
CommandLine|contains: PSUAService
CommandLine|contains: PandaAetherAgent
CommandLine|contains: PccNTUpd
CommandLine|contains: 'Quick Update Service'
CommandLine|contains: RESvc
CommandLine|contains: RepairService
CommandLine|contains: ReportServer
CommandLine|contains: 'ReportServer$'
CommandLine|contains: RpcEptMapper
CommandLine|contains: SAVAdminService
CommandLine|contains: SAVService
CommandLine|contains: SDRSVC
CommandLine|contains: SMTPSvc
CommandLine|contains: SNAC
CommandLine|contains: SQ1SafeOLRService
CommandLine|contains: 'SQL Backups'
CommandLine|contains: 'SQL Server'
CommandLine|contains: SQLANYs_Sage_FAS_Fixed_Assets
CommandLine|contains: SQLAgent
CommandLine|contains: SQLBrowser
CommandLine|contains: SQLSERVERAGENT
CommandLine|contains: SQLTELEMETRY
CommandLine|contains: SQLWriter
CommandLine|contains: SQLsafe
CommandLine|contains: SSISTELEMETRY130
CommandLine|contains: SamSs
CommandLine|contains: ScSecSvc
CommandLine|contains: SearchExchangeTracing
CommandLine|contains: SentinelAgent
CommandLine|contains: SentinelHelperService
CommandLine|contains: SepMasterService
CommandLine|contains: ShMonitor
CommandLine|contains: SmcService
CommandLine|contains: Smcinst
CommandLine|contains: SntpService
CommandLine|contains: Sophos
CommandLine|contains: SstpSvc
CommandLine|contains: Symantec
CommandLine|contains: TMBMServer
CommandLine|contains: TMLWCSService
CommandLine|contains: TMSmartRelayService
CommandLine|contains: TMiCRCScanService
CommandLine|contains: TeamViewer
CommandLine|contains: Telemetryserver
CommandLine|contains: ThreatLockerService
CommandLine|contains: TmCCSF
CommandLine|contains: TmFilter
CommandLine|contains: TmPfw
CommandLine|contains: TmPreFilter
CommandLine|contains: TmProxy
CommandLine|contains: Tomcat
CommandLine|contains: 'Trend Micro Deep Security Manager'
CommandLine|contains: TrueKey
CommandLine|contains: UFNet
CommandLine|contains: UI0Detect
CommandLine|contains: UTODetect
CommandLine|contains: UniFi
CommandLine|contains: VMTools
CommandLine|contains: VSApiNt
CommandLine|contains: VSS
CommandLine|contains: Veeam
CommandLine|contains: VeeamDeploySvc
CommandLine|contains: 'Veritas System Recovery'
CommandLine|contains: W3Svc
CommandLine|contains: WPFFontCache_v0400
CommandLine|contains: WRSVC
CommandLine|contains: WSearch
CommandLine|contains: WdNisSvc
CommandLine|contains: WeanClOudSve
CommandLine|contains: 'Weems JY'
CommandLine|contains: WinDefend
CommandLine|contains: 'Zoolz 2 Service'
CommandLine|contains: aswBcc
CommandLine|contains: 'avast! Antivirus'
CommandLine|contains: avgAdminClient
CommandLine|contains: bedbg
CommandLine|contains: dwmrcs
CommandLine|contains: ekrn
CommandLine|contains: epag
CommandLine|contains: hmpalertsvc
CommandLine|contains: hvdsvc
CommandLine|contains: ibmspsvc
CommandLine|contains: instance2
CommandLine|contains: kavfsslp
CommandLine|contains: klbackupdisk
CommandLine|contains: klbackupflt
CommandLine|contains: klflt
CommandLine|contains: klhk
CommandLine|contains: klim6
CommandLine|contains: klkbdflt
CommandLine|contains: klmouflt
CommandLine|contains: klnagent
CommandLine|contains: klpd
CommandLine|contains: kltap
CommandLine|contains: macmnsvc
CommandLine|contains: masvc
CommandLine|contains: mfefire
CommandLine|contains: mfemms
CommandLine|contains: mfevto
CommandLine|contains: mfevtp
CommandLine|contains: mfewc
CommandLine|contains: mozyprobackup
CommandLine|contains: mpssvc
CommandLine|contains: msftesq1SPROO
CommandLine|contains: 'msftesql$PROD'
CommandLine|contains: 'msftesql$SQLEXPRESS'
CommandLine|contains: mssecflt
CommandLine|contains: netprofm
CommandLine|contains: ntrtscan
CommandLine|contains: nvspwmi
CommandLine|contains: ofcservice
CommandLine|contains: osppsvc
CommandLine|contains: postgresql-x64-9.4
CommandLine|contains: sacsvr
CommandLine|contains: sense
CommandLine|contains: storflt
CommandLine|contains: svcGenericHost
CommandLine|contains: swc_service
CommandLine|contains: swi_filter
CommandLine|contains: swi_service
CommandLine|contains: swi_update
CommandLine|contains: sysmon
CommandLine|contains: tmlisten
CommandLine|contains: tmusa
CommandLine|contains: vds
CommandLine|contains: vmic
CommandLine|contains: vmvss
CommandLine|contains: wbengine
CommandLine|contains: wmms
CommandLine|contains: wozyprobackup
CommandLine|contains: wsbexchange
CommandLine|contains: wscsvc

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • delete corpus 4 (sigma 4)
  • pause
  • stop corpus 3 (sigma 3)
  • .delete()
  • 143Svc
  • AHS Service
  • ARSM
  • AVG Antivirus
  • AVP1
  • AcrSch2Svc
  • Acronis VSS Provider
  • AcronisAgent
  • AdobeARMservice
  • Antivirus corpus 2 (sigma 2)
  • Apache4
  • AteraAgent
  • Avast Business Console Client Antivirus Service
  • AvgAdminServer
  • BITS
  • BackupExec
  • BrokerInfrastructure
  • CASLicenceServer
  • CASWebServer
  • Client Agent 7.60
  • Core Browsing Protection
  • Core Mail Protection
  • Core Scanning Server
  • DCAgent
  • EPIntegrationService
  • EPProtectedService
  • EPRedline
  • EPSecurityService
  • EPUpdateService
  • ESHASRV
  • EhttpSr
  • Enterprise Client Service
  • EraserSvc11710
  • EsgShKernel
  • FA_Scheduler
  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • FontCache3.0.0.0
  • HMS
  • HealthTLService
  • HostControllerService
  • IAStorDataMgrSvc
  • IBMHPS
  • IISAdmin
  • IMANSVC
  • IMAP4Svc
  • KAVFS
  • KAVFSGT
  • KLIF
  • KSDE1.0.0
  • KeyIso
  • LogProcessorService
  • M8EndpointAgent
  • MBAMService
  • MBCloudEA
  • MBEndpointAgent
  • MCAFEEEVENTPARSERSRV
  • MCAFEETOMCATSRV530
  • MMS
  • MSComplianceAudit
  • MSDTC
  • MSExchange corpus 3 (sigma 3)
  • MSOLAP$SQL_2008
  • MSOLAP$SYSTEM_BGC
  • MSOLAP$TPS
  • MSOLAP$TPSAMA
  • MSOLAPSTPS
  • MSOLAPSTPSAMA
  • MSSQ!I.SPROFXENGAGEMEHT
  • MSSQ0SHAREPOINT
  • MSSQ0SOPHOS
  • MSSQL
  • MSSQLFDLauncher$
  • McAfeeDLPAgentService
  • McAfeeEngineService
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MsDtsServer
  • MySQL
  • NanoServiceMain
  • NetMsmqActivator
  • NetPipeActivator
  • NetTcpActivator
  • NetTcpPortSharing
  • Online Protection System
  • OracleClientCache80
  • OracleDBConsole
  • OracleMTSRecoveryService
  • OracleOraDb11g_home1
  • OracleService
  • OracleVssWriter
  • PDVFSService
  • POP3Svc
  • POVFSService
  • PSUAService
  • PandaAetherAgent
  • PccNTUpd
  • Quick Update Service
  • RESvc
  • Remove-Service
  • RepairService
  • ReportServer
  • ReportServer$
  • RpcEptMapper
  • SAVAdminService
  • SAVService
  • SDRSVC
  • SMTPSvc
  • SNAC
  • SQ1SafeOLRService
  • SQL Backups
  • SQL Server
  • SQLANYs_Sage_FAS_Fixed_Assets
  • SQLAgent
  • SQLBrowser
  • SQLSERVERAGENT
  • SQLTELEMETRY
  • SQLWriter
  • SQLsafe
  • SSISTELEMETRY130
  • SamSs
  • ScSecSvc
  • SearchExchangeTracing
  • SentinelAgent
  • SentinelHelperService
  • SepMasterService
  • ShMonitor
  • SmcService
  • Smcinst
  • SntpService
  • Sophos
  • SstpSvc
  • Stop-Service corpus 2 (sigma 2)
  • Symantec
  • TMBMServer
  • TMLWCSService
  • TMSmartRelayService
  • TMiCRCScanService
  • TeamViewer
  • Telemetryserver
  • ThreatLockerService
  • TmCCSF
  • TmFilter
  • TmPfw
  • TmPreFilter
  • TmProxy
  • Tomcat
  • Trend Micro Deep Security Manager
  • TrueKey
  • UFNet
  • UI0Detect
  • UTODetect
  • UniFi
  • VMTools
  • VSApiNt
  • VSS
  • Veeam
  • VeeamDeploySvc
  • Veritas System Recovery
  • W3Svc
  • WPFFontCache_v0400
  • WRSVC
  • WSearch
  • WdNisSvc
  • WeanClOudSve
  • Weems JY
  • WinDefend corpus 2 (sigma 2)
  • Zoolz 2 Service
  • aswBcc
  • avast! Antivirus
  • avgAdminClient
  • bedbg
  • config corpus 8 (sigma 8)
  • dwmrcs
  • ekrn
  • epag
  • hmpalertsvc
  • hvdsvc
  • ibmspsvc
  • instance2
  • kavfsslp
  • klbackupdisk
  • klbackupflt
  • klflt
  • klhk
  • klim6
  • klkbdflt
  • klmouflt
  • klnagent
  • klpd
  • kltap
  • macmnsvc
  • masvc
  • mfefire
  • mfemms
  • mfevto
  • mfevtp
  • mfewc
  • mozyprobackup
  • mpssvc
  • msftesq1SPROO
  • msftesql$PROD
  • msftesql$SQLEXPRESS
  • mssecflt
  • netprofm
  • ntrtscan
  • nvspwmi
  • ofcservice
  • osppsvc
  • postgresql-x64-9.4
  • sacsvr
  • sense
  • start=disabled corpus 2 (sigma 2)
  • storflt
  • svcGenericHost
  • swc_service
  • swi_filter
  • swi_service
  • swi_update
  • sysmon corpus 2 (sigma 2)
  • tmlisten
  • tmusa
  • vds
  • vmic
  • vmvss
  • wbengine
  • wmms
  • wozyprobackup
  • wsbexchange
  • wscsvc
Imageends_with
  • \PowerShell_ISE.EXE
  • \PsService.exe corpus 3 (sigma 3)
  • \PsService64.exe corpus 3 (sigma 3)
  • \net.exe corpus 27 (sigma 27)
  • \net1.exe corpus 25 (sigma 25)
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \sc.exe corpus 17 (sigma 17)
  • \wmic.exe corpus 37 (sigma 37)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • PowerShell_ISE.EXE corpus 6 (sigma 6)
  • net.exe corpus 16 (sigma 16)
  • net1.exe corpus 16 (sigma 16)
  • psservice.exe corpus 2 (sigma 2)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)
  • sc.exe corpus 10 (sigma 10)
  • wmic.exe corpus 33 (sigma 33)