← Library
splApache-2.0from splunk/security_content

Windows Excessive Service Stop Attempt

The following analytic detects multiple attempts to stop or delete services on a system using `net.exe` or `sc.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_excessive_service_stop_attempt.yml
| tstats `security_content_summariesonly` values(Processes.action) as action values(Processes.parent_process) as parent_process values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user) as user  values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE (
        `process_net`
        OR
        `process_sc`
    )
    AND Processes.process="*stop*" OR Processes.process="*delete*"
  BY Processes.process_name Processes.original_file_name Processes.parent_process_name
     Processes.dest Processes.user _time
     span=1m
| where count >=5
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_excessive_service_stop_attempt_filter`