From cd7539d7e6ba84cd2b81b5ee367c76b281dcd455 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 1 Aug 2022 17:52:09 +0100 Subject: [PATCH] Create proc_creation_win_sc_delete_av_services.yml --- ...roc_creation_win_sc_delete_av_services.yml | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml diff --git a/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml b/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml new file mode 100644 index 000000000..2ca456e17 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml @@ -0,0 +1,118 @@ +title: Suspicious Execution of Sc to Demete AV Processes +id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b +status: experimental +description: Detects when attackers use "sc.exe" to delete AV software from the system +author: Nasreddine Bencherchali +references: + - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 +date: 2022/08/01 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_cli: + CommandLine|contains: ' delete ' + selection_av_process: + CommandLine|contains: + # Delete Service 'AVG' + - 'AvgAdminServer' + - 'AVG Antivirus' + - 'MBEndpointAgent' + # Delete Service 'Malwaresbytes' + - 'MBAMService' + - 'MBCloudEA' + - 'avgAdminClient' + # Delete Service 'Sofos' + - 'SAVService' + - 'SAVAdminService' + - 'Sophos AutoUpdate Service' + - 'Sophos Clean Service' + - 'Sophos Device Control Service' + - 'Sophos File Scanner Service' + - 'Sophos Health Service' + - 'Sophos MCS Agent' + - 'Sophos MCS Client' + - 'SntpService' + - 'swc_service' + - 'swi_service' + - 'Sophos UI' + - 'swi_update' + - 'Sophos Web Control Service' + - 'Sophos System Protection Service' + - 'Sophos Safestore Service' + - 'hmpalertsvc' + - 'RpcEptMapper' + - 'Sophos Endpoint Defense Service' + - 'SophosFIM' + - 'swi_filter' + # Delete Service 'Fire_Bird' + - 'FirebirdGuardianDefaultInstance' + - 'FirebirdServerDefaultInstance' + # Delete Service 'AV: Webroot' + - 'WRSVC' + # Delete Service 'AV: ESET' + - 'ekrn' + - 'ekrnEpsw' + # Delete Service 'AV: Kaspersky' + - 'klim6' + - 'AVP18.0.0' + - 'KLIF' + - 'klpd' + - 'klflt' + - 'klbackupdisk' + - 'klbackupflt' + - 'klkbdflt' + - 'klmouflt' + - 'klhk' + - 'KSDE1.0.0' + - 'kltap' + # Delete Service 'AV: Quick Heal' + - 'ScSecSvc' + - 'Core Mail Protection' + - 'Core Scanning Server' + - 'Core Scanning ServerEx' + - 'Online Protection System' + - 'RepairService' + - 'Core Browsing Protection' + - 'Quick Update Service' + # Delete Service 'AV: McAfee' + - 'McAfeeFramework' + - 'macmnsvc' + - 'masvc' + - 'mfemms' + - 'mfevtp' + # Delete Service 'AV: Trend Micro' + - 'TmFilter' + - 'TMLWCSService' + - 'tmusa' + - 'TmPreFilter' + - 'TMSmartRelayService' + - 'TMiCRCScanService' + - 'VSApiNt' + - 'TmCCSF' + - 'tmlisten' + - 'TmProxy' + - 'ntrtscan' + - 'ofcservice' + - 'TmPfw' + - 'PccNTUpd' + # Delete Service 'AV: Panda' + - 'PandaAetherAgent' + - 'PSUAService' + - 'NanoServiceMain' + - 'EPIntegrationService' + - 'EPProtectedService' + - 'EPRedline' + - 'EPSecurityService' + - 'EPUpdateService' + condition: all of selection* +falsepositives: + - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such) +level: high +tags: + - attack.execution + - attack.defense_evasion + - attack.t1562.001