heroui logo

Suspicious Windows Service Tampering

Sigma Rules

View Source
Summary
This detection rule monitors the activity of Windows services to identify tampering actions using suspicious binaries such as 'net', 'sc', and 'PowerShell'. The primary objective is to detect scenarios where these tools are employed to manipulate critical services, including disabling, stopping, or deleting security measures like antivirus programs and backup services. The detection logic leverages command line arguments that are specifically indicative of attempts to modify the status of important services. This form of service tampering is often observed in ransomware attacks, where attackers seek to disable security features to facilitate their malicious activities. The rule sets a high alert level due to the potential risks associated with unauthorized service modifications, and it is particularly relevant given the increasing prevalence of such tactics in cyber threats.
Categories
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1562.001
Created: 2022-09-01