Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330)
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) | Attack Pattern | Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330) | Sigma-Rules | 1 |