SigmaHQ/rules/windows/process_creation/win_service_stop.yml

30 lines
720 B
YAML
Raw Normal View History

2019-10-23 18:22:09 +00:00
title: Stop windows service
id: eb87818d-db5d-49cc-a987-d5da331fbd90
2019-10-23 18:22:09 +00:00
description: Detects a windows service to be stopped
status: experimental
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
2019-11-07 23:40:37 +00:00
modified: 2019/11/08
2019-10-23 18:22:09 +00:00
tags:
- attack.impact
- attack.t1489
2020-01-19 21:34:16 +00:00
logsource:
category: process_creation
product: windows
2019-10-23 18:22:09 +00:00
detection:
2019-11-07 23:40:37 +00:00
selection:
- Image|endswith: '\taskkill.exe'
- Image|endswith:
- '\sc.exe'
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'stop'
condition: selection
fields:
- ComputerName
- User
- CommandLine
2019-10-23 18:22:09 +00:00
falsepositives:
- Administrator shutting down the service due to upgrade or removal purposes
level: low