
Summary
This detection rule is designed to identify suspicious termination of critical Windows services commonly targeted by ransomware to facilitate file encryption. It specifically analyzes Windows System Event Logs (EventCode 7036) to determine if known backup services, Volume Shadow Copy, and antivirus services are stopped. Disabling these services can prevent obstacles during file encryption, allowing ransomware to execute its malicious tasks more smoothly. The rule can be critical for detecting early indicators of ransomware activity, which can lead to significant operational disruptions and data loss if these activities remain unchecked.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Windows Registry
- Windows Registry
- Windows Registry
ATT&CK Techniques
- T1490
Created: 2025-02-07