Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330)
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330) | Sigma-Rules | Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) | Attack Pattern | 1 |