Create proc_creation_win_sc_delete_av_services.yml
This commit is contained in:
Nasreddine Bencherchali
@@ -0,0 +1,118 @@
|
||||
title: Suspicious Execution of Sc to Demete AV Processes
|
||||
id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
|
||||
status: experimental
|
||||
description: Detects when attackers use "sc.exe" to delete AV software from the system
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
|
||||
date: 2022/08/01
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\sc.exe'
|
||||
- OriginalFileName: 'sc.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains: ' delete '
|
||||
selection_av_process:
|
||||
CommandLine|contains:
|
||||
# Delete Service 'AVG'
|
||||
- 'AvgAdminServer'
|
||||
- 'AVG Antivirus'
|
||||
- 'MBEndpointAgent'
|
||||
# Delete Service 'Malwaresbytes'
|
||||
- 'MBAMService'
|
||||
- 'MBCloudEA'
|
||||
- 'avgAdminClient'
|
||||
# Delete Service 'Sofos'
|
||||
- 'SAVService'
|
||||
- 'SAVAdminService'
|
||||
- 'Sophos AutoUpdate Service'
|
||||
- 'Sophos Clean Service'
|
||||
- 'Sophos Device Control Service'
|
||||
- 'Sophos File Scanner Service'
|
||||
- 'Sophos Health Service'
|
||||
- 'Sophos MCS Agent'
|
||||
- 'Sophos MCS Client'
|
||||
- 'SntpService'
|
||||
- 'swc_service'
|
||||
- 'swi_service'
|
||||
- 'Sophos UI'
|
||||
- 'swi_update'
|
||||
- 'Sophos Web Control Service'
|
||||
- 'Sophos System Protection Service'
|
||||
- 'Sophos Safestore Service'
|
||||
- 'hmpalertsvc'
|
||||
- 'RpcEptMapper'
|
||||
- 'Sophos Endpoint Defense Service'
|
||||
- 'SophosFIM'
|
||||
- 'swi_filter'
|
||||
# Delete Service 'Fire_Bird'
|
||||
- 'FirebirdGuardianDefaultInstance'
|
||||
- 'FirebirdServerDefaultInstance'
|
||||
# Delete Service 'AV: Webroot'
|
||||
- 'WRSVC'
|
||||
# Delete Service 'AV: ESET'
|
||||
- 'ekrn'
|
||||
- 'ekrnEpsw'
|
||||
# Delete Service 'AV: Kaspersky'
|
||||
- 'klim6'
|
||||
- 'AVP18.0.0'
|
||||
- 'KLIF'
|
||||
- 'klpd'
|
||||
- 'klflt'
|
||||
- 'klbackupdisk'
|
||||
- 'klbackupflt'
|
||||
- 'klkbdflt'
|
||||
- 'klmouflt'
|
||||
- 'klhk'
|
||||
- 'KSDE1.0.0'
|
||||
- 'kltap'
|
||||
# Delete Service 'AV: Quick Heal'
|
||||
- 'ScSecSvc'
|
||||
- 'Core Mail Protection'
|
||||
- 'Core Scanning Server'
|
||||
- 'Core Scanning ServerEx'
|
||||
- 'Online Protection System'
|
||||
- 'RepairService'
|
||||
- 'Core Browsing Protection'
|
||||
- 'Quick Update Service'
|
||||
# Delete Service 'AV: McAfee'
|
||||
- 'McAfeeFramework'
|
||||
- 'macmnsvc'
|
||||
- 'masvc'
|
||||
- 'mfemms'
|
||||
- 'mfevtp'
|
||||
# Delete Service 'AV: Trend Micro'
|
||||
- 'TmFilter'
|
||||
- 'TMLWCSService'
|
||||
- 'tmusa'
|
||||
- 'TmPreFilter'
|
||||
- 'TMSmartRelayService'
|
||||
- 'TMiCRCScanService'
|
||||
- 'VSApiNt'
|
||||
- 'TmCCSF'
|
||||
- 'tmlisten'
|
||||
- 'TmProxy'
|
||||
- 'ntrtscan'
|
||||
- 'ofcservice'
|
||||
- 'TmPfw'
|
||||
- 'PccNTUpd'
|
||||
# Delete Service 'AV: Panda'
|
||||
- 'PandaAetherAgent'
|
||||
- 'PSUAService'
|
||||
- 'NanoServiceMain'
|
||||
- 'EPIntegrationService'
|
||||
- 'EPProtectedService'
|
||||
- 'EPRedline'
|
||||
- 'EPSecurityService'
|
||||
- 'EPUpdateService'
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)
|
||||
level: high
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
Reference in New Issue
Block a user