1+ name : Known Services Killed by Ransomware
2+ id : 3070f8e0-c528-11eb-b2a0-acde48001122
3+ version : 7
4+ date : ' 2024-12-10'
5+ author : Teoderick Contreras, Splunk
6+ status : deprecated
7+ type : TTP
8+ description : The following analytic detects the suspicious termination of known services
9+ commonly targeted by ransomware before file encryption. It leverages Windows System
10+ Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow
11+ Copy, backup, and antivirus services are stopped. This activity is significant because
12+ ransomware often disables these services to avoid errors and ensure successful file
13+ encryption. If confirmed malicious, this behavior could lead to widespread data
14+ encryption, rendering files inaccessible and potentially causing significant operational
15+ disruption and data loss.
16+ data_source :
17+ - Windows Event Log System 7036
18+ search : ' `wineventlog_system` EventCode=7036 param1 IN ("*Volume Shadow Copy*","*VSS*",
19+ "*backup*", "*sophos*", "*sql*", "*memtas*", "*mepocs*", "*veeam*", "*svc$*", "DefWatch",
20+ "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS",
21+ "QBCFMonitorService", "YooBackup", "YooIT", "*Veeam*", "PDVFSService", "BackupExec*",
22+ "WdBoot", "WdFilter", "WdNisDrv", "WdNisSvc", "WinDefend", "wscsvc", "Sense", "sppsvc",
23+ "SecurityHealthService") param2="stopped" | stats count min(_time) as firstTime
24+ max(_time) as lastTime by EventCode param1 dest | `security_content_ctime(lastTime)`
25+ | `security_content_ctime(firstTime)` | `known_services_killed_by_ransomware_filter`'
26+ how_to_implement : To successfully implement this search, you need to be ingesting
27+ logs with the 7036 EventCode ScManager in System audit Logs from your endpoints.
28+ known_false_positives : Admin activities or installing related updates may do a sudden
29+ stop to list of services we monitor.
30+ references :
31+ - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
32+ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
33+ - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
34+ - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
35+ drilldown_searches :
36+ - name : View the detection results for - "$dest$"
37+ search : ' %original_detection_search% | search dest = "$dest$"'
38+ earliest_offset : $info_min_time$
39+ latest_offset : $info_max_time$
40+ - name : View risk events for the last 7 days for - "$dest$"
41+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
42+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
43+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
44+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
45+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
46+ | `security_content_ctime(lastTime)`'
47+ earliest_offset : $info_min_time$
48+ latest_offset : $info_max_time$
49+ rba :
50+ message : Known services $param1$ terminated by a potential ransomware on $dest$
51+ risk_objects :
52+ - field : dest
53+ type : system
54+ score : 72
55+ threat_objects :
56+ - field : param1
57+ type : service
58+ tags :
59+ analytic_story :
60+ - LockBit Ransomware
61+ - Ransomware
62+ - Compromised Windows Host
63+ - BlackMatter Ransomware
64+ asset_type : Endpoint
65+ mitre_attack_id :
66+ - T1490
67+ product :
68+ - Splunk Enterprise
69+ - Splunk Enterprise Security
70+ - Splunk Cloud
71+ security_domain : endpoint
72+ tests :
73+ - name : True Positive Test
74+ attack_data :
75+ - data :
76+ https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log
77+ source : XmlWinEventLog:System
78+ sourcetype : XmlWinEventLog
0 commit comments