detection.wiki

Detection rules › Sigma

Important Windows Service Terminated With Error

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects important or interesting Windows services that got terminated for whatever reason

Event coverage

ProviderEvent IDTitle
Service-Control-Manager7023

Stages and Predicates

Stage 1: all of selection_eid

Provider_Name: 'Service Control Manager'

Stage 2: all of selection_name

or:
Binary|contains: 420044004500530056004300
Binary|contains: 450046005300
Binary|contains: 4500760065006e0074004c006f006700
Binary|contains: 530065006e0073006500
Binary|contains: 6d0070007300730076006300
Binary|contains: '770069006e0064006500660065006e006400'
param1|contains: ' Antivirus'
param1|contains: ' Firewall'
param1|contains: 'Application Guard'
param1|contains: 'BitLocker Drive Encryption Service'
param1|contains: 'Encrypting File System'
param1|contains: 'Microsoft Defender'
param1|contains: 'Threat Protection'
param1|contains: 'Windows Event Log'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Binarymatch
  • 420044004500530056004300
  • 450046005300
  • 4500760065006e0074004c006f006700
  • 530065006e0073006500
  • 6d0070007300730076006300
  • 770069006e0064006500660065006e006400
Provider_Nameeq
  • Service Control Manager corpus 43 (sigma 43)
param1match
  • Antivirus
  • Firewall
  • Application Guard
  • BitLocker Drive Encryption Service
  • Encrypting File System
  • Microsoft Defender
  • Threat Protection
  • Windows Event Log