Skip to content

Hide Navigation Hide TOC

Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330)

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Cluster A Galaxy A Cluster B Galaxy B Level
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern Suspicious Windows Service Tampering (ce72ef99-22f1-43d4-8695-419dcb5d9330) Sigma-Rules 1