Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_susp_service_tamper

3description: |

4 Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.OriginalFileName in ['net.exe', 'net1.exe', 'PowerShell.EXE', 'psservice.exe', 'pwsh.dll', 'sc.exe'] || evt.Parsed.Image endsWith '\\net.exe' || evt.Parsed.Image endsWith '\\net1.exe' || evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\PsService.exe' || evt.Parsed.Image endsWith '\\PsService64.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\sc.exe') && (evt.Parsed.CommandLine contains ' delete ' || evt.Parsed.CommandLine contains ' pause ' || evt.Parsed.CommandLine contains ' stop ' || evt.Parsed.CommandLine contains 'Stop-Service ' || evt.Parsed.CommandLine contains 'Remove-Service ' || evt.Parsed.CommandLine contains 'config' && evt.Parsed.CommandLine contains 'start=disabled') && (evt.Parsed.CommandLine contains '143Svc' || evt.Parsed.CommandLine contains 'Acronis VSS Provider' || evt.Parsed.CommandLine contains 'AcronisAgent' || evt.Parsed.CommandLine contains 'AcrSch2Svc' || evt.Parsed.CommandLine contains 'AdobeARMservice' || evt.Parsed.CommandLine contains 'AHS Service' || evt.Parsed.CommandLine contains 'Antivirus' || evt.Parsed.CommandLine contains 'Apache4' || evt.Parsed.CommandLine contains 'ARSM' || evt.Parsed.CommandLine contains 'aswBcc' || evt.Parsed.CommandLine contains 'AteraAgent' || evt.Parsed.CommandLine contains 'Avast Business Console Client Antivirus Service' || evt.Parsed.CommandLine contains 'avast! Antivirus' || evt.Parsed.CommandLine contains 'AVG Antivirus' || evt.Parsed.CommandLine contains 'avgAdminClient' || evt.Parsed.CommandLine contains 'AvgAdminServer' || evt.Parsed.CommandLine contains 'AVP1' || evt.Parsed.CommandLine contains 'BackupExec' || evt.Parsed.CommandLine contains 'bedbg' || evt.Parsed.CommandLine contains 'BITS' || evt.Parsed.CommandLine contains 'BrokerInfrastructure' || evt.Parsed.CommandLine contains 'CASLicenceServer' || evt.Parsed.CommandLine contains 'CASWebServer' || evt.Parsed.CommandLine contains 'Client Agent 7.60' || evt.Parsed.CommandLine contains 'Core Browsing Protection' || evt.Parsed.CommandLine contains 'Core Mail Protection' || evt.Parsed.CommandLine contains 'Core Scanning Server' || evt.Parsed.CommandLine contains 'DCAgent' || evt.Parsed.CommandLine contains 'dwmrcs' || evt.Parsed.CommandLine contains 'EhttpSr' || evt.Parsed.CommandLine contains 'ekrn' || evt.Parsed.CommandLine contains 'Enterprise Client Service' || evt.Parsed.CommandLine contains 'epag' || evt.Parsed.CommandLine contains 'EPIntegrationService' || evt.Parsed.CommandLine contains 'EPProtectedService' || evt.Parsed.CommandLine contains 'EPRedline' || evt.Parsed.CommandLine contains 'EPSecurityService' || evt.Parsed.CommandLine contains 'EPUpdateService' || evt.Parsed.CommandLine contains 'EraserSvc11710' || evt.Parsed.CommandLine contains 'EsgShKernel' || evt.Parsed.CommandLine contains 'ESHASRV' || evt.Parsed.CommandLine contains 'FA_Scheduler' || evt.Parsed.CommandLine contains 'FirebirdGuardianDefaultInstance' || evt.Parsed.CommandLine contains 'FirebirdServerDefaultInstance' || evt.Parsed.CommandLine contains 'FontCache3.0.0.0' || evt.Parsed.CommandLine contains 'HealthTLService' || evt.Parsed.CommandLine contains 'hmpalertsvc' || evt.Parsed.CommandLine contains 'HMS' || evt.Parsed.CommandLine contains 'HostControllerService' || evt.Parsed.CommandLine contains 'hvdsvc' || evt.Parsed.CommandLine contains 'IAStorDataMgrSvc' || evt.Parsed.CommandLine contains 'IBMHPS' || evt.Parsed.CommandLine contains 'ibmspsvc' || evt.Parsed.CommandLine contains 'IISAdmin' || evt.Parsed.CommandLine contains 'IMANSVC' || evt.Parsed.CommandLine contains 'IMAP4Svc' || evt.Parsed.CommandLine contains 'instance2' || evt.Parsed.CommandLine contains 'KAVFS' || evt.Parsed.CommandLine contains 'KAVFSGT' || evt.Parsed.CommandLine contains 'kavfsslp' || evt.Parsed.CommandLine contains 'KeyIso' || evt.Parsed.CommandLine contains 'klbackupdisk' || evt.Parsed.CommandLine contains 'klbackupflt' || evt.Parsed.CommandLine contains 'klflt' || evt.Parsed.CommandLine contains 'klhk' || evt.Parsed.CommandLine contains 'KLIF' || evt.Parsed.CommandLine contains 'klim6' || evt.Parsed.CommandLine contains 'klkbdflt' || evt.Parsed.CommandLine contains 'klmouflt' || evt.Parsed.CommandLine contains 'klnagent' || evt.Parsed.CommandLine contains 'klpd' || evt.Parsed.CommandLine contains 'kltap' || evt.Parsed.CommandLine contains 'KSDE1.0.0' || evt.Parsed.CommandLine contains 'LogProcessorService' || evt.Parsed.CommandLine contains 'M8EndpointAgent' || evt.Parsed.CommandLine contains 'macmnsvc' || evt.Parsed.CommandLine contains 'masvc' || evt.Parsed.CommandLine contains 'MBAMService' || evt.Parsed.CommandLine contains 'MBCloudEA' || evt.Parsed.CommandLine contains 'MBEndpointAgent' || evt.Parsed.CommandLine contains 'McAfeeDLPAgentService' || evt.Parsed.CommandLine contains 'McAfeeEngineService' || evt.Parsed.CommandLine contains 'MCAFEEEVENTPARSERSRV' || evt.Parsed.CommandLine contains 'McAfeeFramework' || evt.Parsed.CommandLine contains 'MCAFEETOMCATSRV530' || evt.Parsed.CommandLine contains 'McShield' || evt.Parsed.CommandLine contains 'McTaskManager' || evt.Parsed.CommandLine contains 'mfefire' || evt.Parsed.CommandLine contains 'mfemms' || evt.Parsed.CommandLine contains 'mfevto' || evt.Parsed.CommandLine contains 'mfevtp' || evt.Parsed.CommandLine contains 'mfewc' || evt.Parsed.CommandLine contains 'MMS' || evt.Parsed.CommandLine contains 'mozyprobackup' || evt.Parsed.CommandLine contains 'MSComplianceAudit' || evt.Parsed.CommandLine contains 'MSDTC' || evt.Parsed.CommandLine contains 'MsDtsServer' || evt.Parsed.CommandLine contains 'MSExchange' || evt.Parsed.CommandLine contains 'msftesq1SPROO' || evt.Parsed.CommandLine contains 'msftesql$PROD' || evt.Parsed.CommandLine contains 'msftesql$SQLEXPRESS' || evt.Parsed.CommandLine contains 'MSOLAP$SQL_2008' || evt.Parsed.CommandLine contains 'MSOLAP$SYSTEM_BGC' || evt.Parsed.CommandLine contains 'MSOLAP$TPS' || evt.Parsed.CommandLine contains 'MSOLAP$TPSAMA' || evt.Parsed.CommandLine contains 'MSOLAPSTPS' || evt.Parsed.CommandLine contains 'MSOLAPSTPSAMA' || evt.Parsed.CommandLine contains 'mssecflt' || evt.Parsed.CommandLine contains 'MSSQ!I.SPROFXENGAGEMEHT' || evt.Parsed.CommandLine contains 'MSSQ0SHAREPOINT' || evt.Parsed.CommandLine contains 'MSSQ0SOPHOS' || evt.Parsed.CommandLine contains 'MSSQL' || evt.Parsed.CommandLine contains 'MSSQLFDLauncher$' || evt.Parsed.CommandLine contains 'MySQL' || evt.Parsed.CommandLine contains 'NanoServiceMain' || evt.Parsed.CommandLine contains 'NetMsmqActivator' || evt.Parsed.CommandLine contains 'NetPipeActivator' || evt.Parsed.CommandLine contains 'netprofm' || evt.Parsed.CommandLine contains 'NetTcpActivator' || evt.Parsed.CommandLine contains 'NetTcpPortSharing' || evt.Parsed.CommandLine contains 'ntrtscan' || evt.Parsed.CommandLine contains 'nvspwmi' || evt.Parsed.CommandLine contains 'ofcservice' || evt.Parsed.CommandLine contains 'Online Protection System' || evt.Parsed.CommandLine contains 'OracleClientCache80' || evt.Parsed.CommandLine contains 'OracleDBConsole' || evt.Parsed.CommandLine contains 'OracleMTSRecoveryService' || evt.Parsed.CommandLine contains 'OracleOraDb11g_home1' || evt.Parsed.CommandLine contains 'OracleService' || evt.Parsed.CommandLine contains 'OracleVssWriter' || evt.Parsed.CommandLine contains 'osppsvc' || evt.Parsed.CommandLine contains 'PandaAetherAgent' || evt.Parsed.CommandLine contains 'PccNTUpd' || evt.Parsed.CommandLine contains 'PDVFSService' || evt.Parsed.CommandLine contains 'POP3Svc' || evt.Parsed.CommandLine contains 'postgresql-x64-9.4' || evt.Parsed.CommandLine contains 'POVFSService' || evt.Parsed.CommandLine contains 'PSUAService' || evt.Parsed.CommandLine contains 'Quick Update Service' || evt.Parsed.CommandLine contains 'RepairService' || evt.Parsed.CommandLine contains 'ReportServer' || evt.Parsed.CommandLine contains 'ReportServer$' || evt.Parsed.CommandLine contains 'RESvc' || evt.Parsed.CommandLine contains 'RpcEptMapper' || evt.Parsed.CommandLine contains 'sacsvr' || evt.Parsed.CommandLine contains 'SamSs' || evt.Parsed.CommandLine contains 'SAVAdminService' || evt.Parsed.CommandLine contains 'SAVService' || evt.Parsed.CommandLine contains 'ScSecSvc' || evt.Parsed.CommandLine contains 'SDRSVC' || evt.Parsed.CommandLine contains 'SearchExchangeTracing' || evt.Parsed.CommandLine contains 'sense' || evt.Parsed.CommandLine contains 'SentinelAgent' || evt.Parsed.CommandLine contains 'SentinelHelperService' || evt.Parsed.CommandLine contains 'SepMasterService' || evt.Parsed.CommandLine contains 'ShMonitor' || evt.Parsed.CommandLine contains 'Smcinst' || evt.Parsed.CommandLine contains 'SmcService' || evt.Parsed.CommandLine contains 'SMTPSvc' || evt.Parsed.CommandLine contains 'SNAC' || evt.Parsed.CommandLine contains 'SntpService' || evt.Parsed.CommandLine contains 'Sophos' || evt.Parsed.CommandLine contains 'SQ1SafeOLRService' || evt.Parsed.CommandLine contains 'SQL Backups' || evt.Parsed.CommandLine contains 'SQL Server' || evt.Parsed.CommandLine contains 'SQLAgent' || evt.Parsed.CommandLine contains 'SQLANYs_Sage_FAS_Fixed_Assets' || evt.Parsed.CommandLine contains 'SQLBrowser' || evt.Parsed.CommandLine contains 'SQLsafe' || evt.Parsed.CommandLine contains 'SQLSERVERAGENT' || evt.Parsed.CommandLine contains 'SQLTELEMETRY' || evt.Parsed.CommandLine contains 'SQLWriter' || evt.Parsed.CommandLine contains 'SSISTELEMETRY130' || evt.Parsed.CommandLine contains 'SstpSvc' || evt.Parsed.CommandLine contains 'storflt' || evt.Parsed.CommandLine contains 'svcGenericHost' || evt.Parsed.CommandLine contains 'swc_service' || evt.Parsed.CommandLine contains 'swi_filter' || evt.Parsed.CommandLine contains 'swi_service' || evt.Parsed.CommandLine contains 'swi_update' || evt.Parsed.CommandLine contains 'Symantec' || evt.Parsed.CommandLine contains 'TeamViewer' || evt.Parsed.CommandLine contains 'Telemetryserver' || evt.Parsed.CommandLine contains 'ThreatLockerService' || evt.Parsed.CommandLine contains 'TMBMServer' || evt.Parsed.CommandLine contains 'TmCCSF' || evt.Parsed.CommandLine contains 'TmFilter' || evt.Parsed.CommandLine contains 'TMiCRCScanService' || evt.Parsed.CommandLine contains 'tmlisten' || evt.Parsed.CommandLine contains 'TMLWCSService' || evt.Parsed.CommandLine contains 'TmPfw' || evt.Parsed.CommandLine contains 'TmPreFilter' || evt.Parsed.CommandLine contains 'TmProxy' || evt.Parsed.CommandLine contains 'TMSmartRelayService' || evt.Parsed.CommandLine contains 'tmusa' || evt.Parsed.CommandLine contains 'Tomcat' || evt.Parsed.CommandLine contains 'Trend Micro Deep Security Manager' || evt.Parsed.CommandLine contains 'TrueKey' || evt.Parsed.CommandLine contains 'UFNet' || evt.Parsed.CommandLine contains 'UI0Detect' || evt.Parsed.CommandLine contains 'UniFi' || evt.Parsed.CommandLine contains 'UTODetect' || evt.Parsed.CommandLine contains 'vds' || evt.Parsed.CommandLine contains 'Veeam' || evt.Parsed.CommandLine contains 'VeeamDeploySvc' || evt.Parsed.CommandLine contains 'Veritas System Recovery' || evt.Parsed.CommandLine contains 'vmic' || evt.Parsed.CommandLine contains 'VMTools' || evt.Parsed.CommandLine contains 'vmvss' || evt.Parsed.CommandLine contains 'VSApiNt' || evt.Parsed.CommandLine contains 'VSS' || evt.Parsed.CommandLine contains 'W3Svc' || evt.Parsed.CommandLine contains 'wbengine' || evt.Parsed.CommandLine contains 'WdNisSvc' || evt.Parsed.CommandLine contains 'WeanClOudSve' || evt.Parsed.CommandLine contains 'Weems JY' || evt.Parsed.CommandLine contains 'WinDefend' || evt.Parsed.CommandLine contains 'wmms' || evt.Parsed.CommandLine contains 'wozyprobackup' || evt.Parsed.CommandLine contains 'WPFFontCache_v0400' || evt.Parsed.CommandLine contains 'WRSVC' || evt.Parsed.CommandLine contains 'wsbexchange' || evt.Parsed.CommandLine contains 'WSearch' || evt.Parsed.CommandLine contains 'Zoolz 2 Service'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1489

16 label: "Suspicious Windows Service Tampering"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« Suspicious Windows Service Tampering »v0.2 by sigmahq / proc_creation_win_susp_service_tamperAttack scenariowindowsNot spoofableLow confidenceMITRE:t1489

« Suspicious Windows Service Tampering »
v0.2 by sigmahq / proc_creation_win_susp_service_tamper
Attack scenariowindowsNot spoofableLow confidence