Detection rules › Sigma

Suspicious Windows Service Tampering

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1685 Disable or Modify Tools
ImpactT1489 Service Stop

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
      type: obsolete
    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
      type: obsolete
status: test
description: |
    Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
    - attack.impact
    - attack.defense-impairment
    - attack.t1489
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_img:
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
              - 'PowerShell_ISE.EXE'
              - 'PowerShell.EXE'
              - 'psservice.exe'
              - 'pwsh.dll'
              - 'sc.exe'
              - 'wmic.exe'
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
              - '\PowerShell_ISE.EXE'
              - '\powershell.exe'
              - '\PsService.exe'
              - '\PsService64.exe'
              - '\pwsh.exe'
              - '\sc.exe'
              - '\wmic.exe' # wmic process call win32_service where name='servicename' delete
    selection_tools_cli:
        - CommandLine|contains:
              - ' delete '
              - '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
              - ' pause ' # Covers flags from: PsService and Sc.EXE
              - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
              - 'Stop-Service '
              - 'Remove-Service '
        - CommandLine|contains|all:
              - 'config'
              - 'start=disabled'
    selection_services:
        CommandLine|contains:
            - '143Svc'
            - 'Acronis VSS Provider'
            - 'AcronisAgent'
            - 'AcrSch2Svc'
            - 'AdobeARMservice'
            - 'AHS Service'
            - 'Antivirus'
            - 'Apache4'
            - 'ARSM'
            - 'aswBcc'
            - 'AteraAgent'
            - 'Avast Business Console Client Antivirus Service'
            - 'avast! Antivirus'
            - 'AVG Antivirus'
            - 'avgAdminClient'
            - 'AvgAdminServer'
            - 'AVP1'
            - 'BackupExec'
            - 'bedbg'
            - 'BITS'
            - 'BrokerInfrastructure'
            - 'CASLicenceServer'
            - 'CASWebServer'
            - 'Client Agent 7.60'
            - 'Core Browsing Protection'
            - 'Core Mail Protection'
            - 'Core Scanning Server'
            - 'DCAgent'
            - 'dwmrcs'
            - 'EhttpSr'
            - 'ekrn'
            - 'Enterprise Client Service'
            - 'epag'
            - 'EPIntegrationService'
            - 'EPProtectedService'
            - 'EPRedline'
            - 'EPSecurityService'
            - 'EPUpdateService'
            - 'EraserSvc11710'
            - 'EsgShKernel'
            - 'ESHASRV'
            - 'FA_Scheduler'
            - 'FirebirdGuardianDefaultInstance'
            - 'FirebirdServerDefaultInstance'
            - 'FontCache3.0.0.0'
            - 'HealthTLService'
            - 'hmpalertsvc'
            - 'HMS'
            - 'HostControllerService'
            - 'hvdsvc'
            - 'IAStorDataMgrSvc'
            - 'IBMHPS'
            - 'ibmspsvc'
            - 'IISAdmin'
            - 'IMANSVC'
            - 'IMAP4Svc'
            - 'instance2'
            - 'KAVFS'
            - 'KAVFSGT'
            - 'kavfsslp'
            - 'KeyIso'
            - 'klbackupdisk'
            - 'klbackupflt'
            - 'klflt'
            - 'klhk'
            - 'KLIF'
            - 'klim6'
            - 'klkbdflt'
            - 'klmouflt'
            - 'klnagent'
            - 'klpd'
            - 'kltap'
            - 'KSDE1.0.0'
            - 'LogProcessorService'
            - 'M8EndpointAgent'
            - 'macmnsvc'
            - 'masvc'
            - 'MBAMService'
            - 'MBCloudEA'
            - 'MBEndpointAgent'
            - 'McAfeeDLPAgentService'
            - 'McAfeeEngineService'
            - 'MCAFEEEVENTPARSERSRV'
            - 'McAfeeFramework'
            - 'MCAFEETOMCATSRV530'
            - 'McShield'
            - 'McTaskManager'
            - 'mfefire'
            - 'mfemms'
            - 'mfevto'
            - 'mfevtp'
            - 'mfewc'
            - 'MMS'
            - 'mozyprobackup'
            - 'mpssvc'
            - 'MSComplianceAudit'
            - 'MSDTC'
            - 'MsDtsServer'
            - 'MSExchange'
            - 'msftesq1SPROO'
            - 'msftesql$PROD'
            - 'msftesql$SQLEXPRESS'
            - 'MSOLAP$SQL_2008'
            - 'MSOLAP$SYSTEM_BGC'
            - 'MSOLAP$TPS'
            - 'MSOLAP$TPSAMA'
            - 'MSOLAPSTPS'
            - 'MSOLAPSTPSAMA'
            - 'mssecflt'
            - 'MSSQ!I.SPROFXENGAGEMEHT'
            - 'MSSQ0SHAREPOINT'
            - 'MSSQ0SOPHOS'
            - 'MSSQL'
            - 'MSSQLFDLauncher$'
            - 'MySQL'
            - 'NanoServiceMain'
            - 'NetMsmqActivator'
            - 'NetPipeActivator'
            - 'netprofm'
            - 'NetTcpActivator'
            - 'NetTcpPortSharing'
            - 'ntrtscan'
            - 'nvspwmi'
            - 'ofcservice'
            - 'Online Protection System'
            - 'OracleClientCache80'
            - 'OracleDBConsole'
            - 'OracleMTSRecoveryService'
            - 'OracleOraDb11g_home1'
            - 'OracleService'
            - 'OracleVssWriter'
            - 'osppsvc'
            - 'PandaAetherAgent'
            - 'PccNTUpd'
            - 'PDVFSService'
            - 'POP3Svc'
            - 'postgresql-x64-9.4'
            - 'POVFSService'
            - 'PSUAService'
            - 'Quick Update Service'
            - 'RepairService'
            - 'ReportServer'
            - 'ReportServer$'
            - 'RESvc'
            - 'RpcEptMapper'
            - 'sacsvr'
            - 'SamSs'
            - 'SAVAdminService'
            - 'SAVService'
            - 'ScSecSvc'
            - 'SDRSVC'
            - 'SearchExchangeTracing'
            - 'sense'
            - 'SentinelAgent'
            - 'SentinelHelperService'
            - 'SepMasterService'
            - 'ShMonitor'
            - 'Smcinst'
            - 'SmcService'
            - 'SMTPSvc'
            - 'SNAC'
            - 'SntpService'
            - 'Sophos'
            - 'SQ1SafeOLRService'
            - 'SQL Backups'
            - 'SQL Server'
            - 'SQLAgent'
            - 'SQLANYs_Sage_FAS_Fixed_Assets'
            - 'SQLBrowser'
            - 'SQLsafe'
            - 'SQLSERVERAGENT'
            - 'SQLTELEMETRY'
            - 'SQLWriter'
            - 'SSISTELEMETRY130'
            - 'SstpSvc'
            - 'storflt'
            - 'svcGenericHost'
            - 'swc_service'
            - 'swi_filter'
            - 'swi_service'
            - 'swi_update'
            - 'Symantec'
            - 'sysmon'
            - 'TeamViewer'
            - 'Telemetryserver'
            - 'ThreatLockerService'
            - 'TMBMServer'
            - 'TmCCSF'
            - 'TmFilter'
            - 'TMiCRCScanService'
            - 'tmlisten'
            - 'TMLWCSService'
            - 'TmPfw'
            - 'TmPreFilter'
            - 'TmProxy'
            - 'TMSmartRelayService'
            - 'tmusa'
            - 'Tomcat'
            - 'Trend Micro Deep Security Manager'
            - 'TrueKey'
            - 'UFNet'
            - 'UI0Detect'
            - 'UniFi'
            - 'UTODetect'
            - 'vds'
            - 'Veeam'
            - 'VeeamDeploySvc'
            - 'Veritas System Recovery'
            - 'vmic'
            - 'VMTools'
            - 'vmvss'
            - 'VSApiNt'
            - 'VSS'
            - 'W3Svc'
            - 'wbengine'
            - 'WdNisSvc'
            - 'WeanClOudSve'
            - 'Weems JY'
            - 'WinDefend'
            - 'wmms'
            - 'wozyprobackup'
            - 'WPFFontCache_v0400'
            - 'WRSVC'
            - 'wsbexchange'
            - 'WSearch'
            - 'wscsvc'
            - 'Zoolz 2 Service'
    condition: all of selection_*
falsepositives:
    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_tools_img

selection_tools_img:
    - OriginalFileName:
          - 'net.exe'
          - 'net1.exe'
          - 'PowerShell_ISE.EXE'
          - 'PowerShell.EXE'
          - 'psservice.exe'
          - 'pwsh.dll'
          - 'sc.exe'
          - 'wmic.exe'
    - Image|endswith:
          - '\net.exe'
          - '\net1.exe'
          - '\PowerShell_ISE.EXE'
          - '\powershell.exe'
          - '\PsService.exe'
          - '\PsService64.exe'
          - '\pwsh.exe'
          - '\sc.exe'
          - '\wmic.exe' # wmic process call win32_service where name='servicename' delete

Stage 2: selection_tools_cli

selection_tools_cli:
    - CommandLine|contains:
          - ' delete '
          - '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
          - ' pause ' # Covers flags from: PsService and Sc.EXE
          - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
          - 'Stop-Service '
          - 'Remove-Service '
    - CommandLine|contains|all:
          - 'config'
          - 'start=disabled'

Stage 3: selection_services

selection_services:
    CommandLine|contains:
        - '143Svc'
        - 'Acronis VSS Provider'
        - 'AcronisAgent'
        - 'AcrSch2Svc'
        - 'AdobeARMservice'
        - 'AHS Service'
        - 'Antivirus'
        - 'Apache4'
        - 'ARSM'
        - 'aswBcc'
        - 'AteraAgent'
        - 'Avast Business Console Client Antivirus Service'
        - 'avast! Antivirus'
        - 'AVG Antivirus'
        - 'avgAdminClient'
        - 'AvgAdminServer'
        - 'AVP1'
        - 'BackupExec'
        - 'bedbg'
        - 'BITS'
        - 'BrokerInfrastructure'
        - 'CASLicenceServer'
        - 'CASWebServer'
        - 'Client Agent 7.60'
        - 'Core Browsing Protection'
        - 'Core Mail Protection'
        - 'Core Scanning Server'
        - 'DCAgent'
        - 'dwmrcs'
        - 'EhttpSr'
        - 'ekrn'
        - 'Enterprise Client Service'
        - 'epag'
        - 'EPIntegrationService'
        - 'EPProtectedService'
        - 'EPRedline'
        - 'EPSecurityService'
        - 'EPUpdateService'
        - 'EraserSvc11710'
        - 'EsgShKernel'
        - 'ESHASRV'
        - 'FA_Scheduler'
        - 'FirebirdGuardianDefaultInstance'
        - 'FirebirdServerDefaultInstance'
        - 'FontCache3.0.0.0'
        - 'HealthTLService'
        - 'hmpalertsvc'
        - 'HMS'
        - 'HostControllerService'
        - 'hvdsvc'
        - 'IAStorDataMgrSvc'
        - 'IBMHPS'
        - 'ibmspsvc'
        - 'IISAdmin'
        - 'IMANSVC'
        - 'IMAP4Svc'
        - 'instance2'
        - 'KAVFS'
        - 'KAVFSGT'
        - 'kavfsslp'
        - 'KeyIso'
        - 'klbackupdisk'
        - 'klbackupflt'
        - 'klflt'
        - 'klhk'
        - 'KLIF'
        - 'klim6'
        - 'klkbdflt'
        - 'klmouflt'
        - 'klnagent'
        - 'klpd'
        - 'kltap'
        - 'KSDE1.0.0'
        - 'LogProcessorService'
        - 'M8EndpointAgent'
        - 'macmnsvc'
        - 'masvc'
        - 'MBAMService'
        - 'MBCloudEA'
        - 'MBEndpointAgent'
        - 'McAfeeDLPAgentService'
        - 'McAfeeEngineService'
        - 'MCAFEEEVENTPARSERSRV'
        - 'McAfeeFramework'
        - 'MCAFEETOMCATSRV530'
        - 'McShield'
        - 'McTaskManager'
        - 'mfefire'
        - 'mfemms'
        - 'mfevto'
        - 'mfevtp'
        - 'mfewc'
        - 'MMS'
        - 'mozyprobackup'
        - 'mpssvc'
        - 'MSComplianceAudit'
        - 'MSDTC'
        - 'MsDtsServer'
        - 'MSExchange'
        - 'msftesq1SPROO'
        - 'msftesql$PROD'
        - 'msftesql$SQLEXPRESS'
        - 'MSOLAP$SQL_2008'
        - 'MSOLAP$SYSTEM_BGC'
        - 'MSOLAP$TPS'
        - 'MSOLAP$TPSAMA'
        - 'MSOLAPSTPS'
        - 'MSOLAPSTPSAMA'
        - 'mssecflt'
        - 'MSSQ!I.SPROFXENGAGEMEHT'
        - 'MSSQ0SHAREPOINT'
        - 'MSSQ0SOPHOS'
        - 'MSSQL'
        - 'MSSQLFDLauncher$'
        - 'MySQL'
        - 'NanoServiceMain'
        - 'NetMsmqActivator'
        - 'NetPipeActivator'
        - 'netprofm'
        - 'NetTcpActivator'
        - 'NetTcpPortSharing'
        - 'ntrtscan'
        - 'nvspwmi'
        - 'ofcservice'
        - 'Online Protection System'
        - 'OracleClientCache80'
        - 'OracleDBConsole'
        - 'OracleMTSRecoveryService'
        - 'OracleOraDb11g_home1'
        - 'OracleService'
        - 'OracleVssWriter'
        - 'osppsvc'
        - 'PandaAetherAgent'
        - 'PccNTUpd'
        - 'PDVFSService'
        - 'POP3Svc'
        - 'postgresql-x64-9.4'
        - 'POVFSService'
        - 'PSUAService'
        - 'Quick Update Service'
        - 'RepairService'
        - 'ReportServer'
        - 'ReportServer$'
        - 'RESvc'
        - 'RpcEptMapper'
        - 'sacsvr'
        - 'SamSs'
        - 'SAVAdminService'
        - 'SAVService'
        - 'ScSecSvc'
        - 'SDRSVC'
        - 'SearchExchangeTracing'
        - 'sense'
        - 'SentinelAgent'
        - 'SentinelHelperService'
        - 'SepMasterService'
        - 'ShMonitor'
        - 'Smcinst'
        - 'SmcService'
        - 'SMTPSvc'
        - 'SNAC'
        - 'SntpService'
        - 'Sophos'
        - 'SQ1SafeOLRService'
        - 'SQL Backups'
        - 'SQL Server'
        - 'SQLAgent'
        - 'SQLANYs_Sage_FAS_Fixed_Assets'
        - 'SQLBrowser'
        - 'SQLsafe'
        - 'SQLSERVERAGENT'
        - 'SQLTELEMETRY'
        - 'SQLWriter'
        - 'SSISTELEMETRY130'
        - 'SstpSvc'
        - 'storflt'
        - 'svcGenericHost'
        - 'swc_service'
        - 'swi_filter'
        - 'swi_service'
        - 'swi_update'
        - 'Symantec'
        - 'sysmon'
        - 'TeamViewer'
        - 'Telemetryserver'
        - 'ThreatLockerService'
        - 'TMBMServer'
        - 'TmCCSF'
        - 'TmFilter'
        - 'TMiCRCScanService'
        - 'tmlisten'
        - 'TMLWCSService'
        - 'TmPfw'
        - 'TmPreFilter'
        - 'TmProxy'
        - 'TMSmartRelayService'
        - 'tmusa'
        - 'Tomcat'
        - 'Trend Micro Deep Security Manager'
        - 'TrueKey'
        - 'UFNet'
        - 'UI0Detect'
        - 'UniFi'
        - 'UTODetect'
        - 'vds'
        - 'Veeam'
        - 'VeeamDeploySvc'
        - 'Veritas System Recovery'
        - 'vmic'
        - 'VMTools'
        - 'vmvss'
        - 'VSApiNt'
        - 'VSS'
        - 'W3Svc'
        - 'wbengine'
        - 'WdNisSvc'
        - 'WeanClOudSve'
        - 'Weems JY'
        - 'WinDefend'
        - 'wmms'
        - 'wozyprobackup'
        - 'WPFFontCache_v0400'
        - 'WRSVC'
        - 'wsbexchange'
        - 'WSearch'
        - 'wscsvc'
        - 'Zoolz 2 Service'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • delete corpus 5 (sigma 4, splunk 1)
  • pause
  • stop corpus 7 (sigma 5, splunk 2)
  • .delete() corpus 2 (sigma 2)
  • 143Svc
  • AHS Service
  • ARSM
  • AVG Antivirus
  • AVP1
  • AcrSch2Svc corpus 2 (sigma 2)
  • Acronis VSS Provider
  • AcronisAgent
  • AdobeARMservice
  • Antivirus corpus 2 (sigma 2)
  • Apache4
  • AteraAgent
  • Avast Business Console Client Antivirus Service
  • AvgAdminServer
  • BITS corpus 2 (sigma 2)
  • BackupExec
  • BrokerInfrastructure
  • CASLicenceServer
  • CASWebServer
  • Client Agent 7.60
  • Core Browsing Protection
  • Core Mail Protection
  • Core Scanning Server
  • DCAgent
  • EPIntegrationService
  • EPProtectedService
  • EPRedline
  • EPSecurityService
  • EPUpdateService
  • ESHASRV
  • EhttpSr
  • Enterprise Client Service
  • EraserSvc11710
  • EsgShKernel
  • FA_Scheduler
  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • FontCache3.0.0.0
  • HMS
  • HealthTLService
  • HostControllerService
  • IAStorDataMgrSvc
  • IBMHPS
  • IISAdmin
  • IMANSVC
  • IMAP4Svc
  • KAVFS
  • KAVFSGT
  • KLIF
  • KSDE1.0.0
  • KeyIso
  • LogProcessorService
  • M8EndpointAgent
  • MBAMService
  • MBCloudEA
  • MBEndpointAgent
  • MCAFEEEVENTPARSERSRV
  • MCAFEETOMCATSRV530
  • MMS
  • MSComplianceAudit
  • MSDTC corpus 3 (sigma 3)
  • MSExchange corpus 4 (sigma 3, kusto 1)
  • MSOLAP$SQL_2008
  • MSOLAP$SYSTEM_BGC
  • MSOLAP$TPS
  • MSOLAP$TPSAMA
  • MSOLAPSTPS
  • MSOLAPSTPSAMA
  • MSSQ!I.SPROFXENGAGEMEHT
  • MSSQ0SHAREPOINT
  • MSSQ0SOPHOS
  • MSSQL
  • MSSQLFDLauncher$
  • McAfeeDLPAgentService
  • McAfeeEngineService
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MsDtsServer
  • MySQL
  • NanoServiceMain
  • NetMsmqActivator
  • NetPipeActivator
  • NetTcpActivator
  • NetTcpPortSharing
  • Online Protection System
  • OracleClientCache80
  • OracleDBConsole
  • OracleMTSRecoveryService
  • OracleOraDb11g_home1
  • OracleService
  • OracleVssWriter
  • PDVFSService
  • POP3Svc
  • POVFSService
  • PSUAService
  • PandaAetherAgent
  • PccNTUpd
  • Quick Update Service
  • RESvc
  • Remove-Service
  • RepairService
  • ReportServer
  • ReportServer$
  • RpcEptMapper
  • SAVAdminService
  • SAVService
  • SDRSVC
  • SMTPSvc
  • SNAC
  • SQ1SafeOLRService
  • SQL Backups
  • SQL Server
  • SQLANYs_Sage_FAS_Fixed_Assets
  • SQLAgent
  • SQLBrowser
  • SQLSERVERAGENT
  • SQLTELEMETRY
  • SQLWriter
  • SQLsafe
  • SSISTELEMETRY130
  • SamSs corpus 2 (sigma 2)
  • ScSecSvc
  • SearchExchangeTracing
  • SentinelAgent
  • SentinelHelperService
  • SepMasterService
  • ShMonitor
  • SmcService
  • Smcinst
  • SntpService
  • Sophos
  • SstpSvc
  • Stop-Service corpus 4 (sigma 2, splunk 2)
  • Symantec
  • TMBMServer
  • TMLWCSService
  • TMSmartRelayService
  • TMiCRCScanService
  • TeamViewer
  • Telemetryserver
  • ThreatLockerService
  • TmCCSF
  • TmFilter
  • TmPfw
  • TmPreFilter
  • TmProxy
  • Tomcat
  • Trend Micro Deep Security Manager
  • TrueKey
  • UFNet
  • UI0Detect
  • UTODetect
  • UniFi
  • VMTools
  • VSApiNt
  • VSS corpus 2 (sigma 2)
  • Veeam
  • VeeamDeploySvc
  • Veritas System Recovery
  • W3Svc
  • WPFFontCache_v0400
  • WRSVC
  • WSearch
  • WdNisSvc
  • WeanClOudSve
  • Weems JY
  • WinDefend corpus 4 (sigma 3, kusto 1)
  • Zoolz 2 Service
  • aswBcc
  • avast! Antivirus
  • avgAdminClient
  • bedbg
  • config corpus 15 (sigma 14, splunk 1)
  • dwmrcs
  • ekrn
  • epag
  • hmpalertsvc
  • hvdsvc
  • ibmspsvc
  • instance2
  • kavfsslp
  • klbackupdisk
  • klbackupflt
  • klflt
  • klhk
  • klim6
  • klkbdflt
  • klmouflt
  • klnagent
  • klpd
  • kltap
  • macmnsvc
  • masvc
  • mfefire
  • mfemms
  • mfevto
  • mfevtp
  • mfewc
  • mozyprobackup
  • mpssvc corpus 2 (sigma 2)
  • msftesq1SPROO
  • msftesql$PROD
  • msftesql$SQLEXPRESS
  • mssecflt
  • netprofm
  • ntrtscan
  • nvspwmi
  • ofcservice
  • osppsvc
  • postgresql-x64-9.4
  • sacsvr
  • sense corpus 2 (sigma 2)
  • start=disabled corpus 2 (sigma 2)
  • storflt
  • svcGenericHost
  • swc_service
  • swi_filter
  • swi_service
  • swi_update
  • sysmon corpus 3 (sigma 3)
  • tmlisten
  • tmusa
  • vds
  • vmic
  • vmvss
  • wbengine
  • wmms
  • wozyprobackup
  • wsbexchange
  • wscsvc
Imageends_with
  • \PowerShell_ISE.EXE corpus 42 (sigma 42)
  • \PsService.exe corpus 4 (sigma 4)
  • \PsService64.exe corpus 4 (sigma 4)
  • \net.exe corpus 50 (sigma 50)
  • \net1.exe corpus 48 (sigma 48)
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \sc.exe corpus 30 (sigma 30)
  • \wmic.exe corpus 61 (sigma 61)
OriginalFileNameeq
  • PowerShell.EXE corpus 121 (sigma 85, splunk 30, elastic 6)
  • PowerShell_ISE.EXE corpus 51 (splunk 30, sigma 18, elastic 3)
  • net.exe corpus 27 (sigma 19, elastic 6, splunk 2)
  • net1.exe corpus 43 (sigma 19, splunk 19, elastic 5)
  • psservice.exe corpus 3 (sigma 2, elastic 1)
  • pwsh.dll corpus 112 (sigma 79, splunk 30, elastic 3)
  • sc.exe corpus 26 (sigma 12, splunk 10, elastic 4)
  • wmic.exe corpus 61 (sigma 36, splunk 18, elastic 7)