Event ID 7036 — The Microsoft Software Shadow Copy Provider service entered the stopped state.
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7036,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-07T17:43:20.414968+00:00",
"event_record_id": 1330,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 2116
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Portable Device Enumerator Service",
"param2": "stopped",
"Binary": "57005000440042007500730045006E0075006D002F0031000000"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Defender Threat Detection Service Disabled source medium: Detects when the "Windows Defender Threat Protection" service is disabled.
Splunk # view in reference
- First Time Seen Running Windows Service source: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.
- Windows Cisco Secure Endpoint Related Service Stopped source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.
- Windows Security And Backup Services Stop source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756308(v=ws.10)
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx