Detectionhightest
Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Apr 1456abae0c-6212-4b97-adc0-0b559bb950c3windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).
selection_name:
# Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different
- param1|contains: 'Message Queuing'
# Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
- Binary|contains:
- '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
- '6d0073006d007100' # msmq
condition: all of selection_*False Positives
Rare false positives could occur since service termination could happen due to multiple reasons
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
56abae0c-6212-4b97-adc0-0b559bb950c3
Status
test
Level
high
Type
Detection
Created
Fri Apr 14
Path
rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml
Raw Tags
attack.defense-evasion