detection.wiki

Detection rules › Splunk

Clop Ransomware Known Service Name

Author
Teoderick Contreras
Source
upstream

The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names ("SecurityCenterIBM", "WinCheckDRVs"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543 Create or Modify System Process
Privilege EscalationT1543 Create or Modify System Process

Event coverage

ProviderEvent IDTitle
Service-Control-Manager7045

Stages and Predicates

Stage 1: search

search EventCode=7045 ServiceName IN ("SecurityCenterIBM", "WinCheckDRVs")

Stage 2: stats

stats BY Computer, EventCode, ServiceName, StartType, ServiceType

Stage 3: rename

rename

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 7045 corpus 12 (splunk 12)
ServiceNamein
  • "SecurityCenterIBM"
  • "WinCheckDRVs"

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.