← All Chokepoints CRITICAL

Ransomware Service Manipulation

Defense Evasion Impact T1562.001 T1489 Detection difficulty: LOW Prevalence: HIGH

Before encrypting files, ransomware operators stop and delete security tools, backup services, and database engines to maximize impact and prevent recovery. This service manipulation phase is the last detectable warning before encryption begins. The chokepoint is immutable: admin/SYSTEM privileges, service enumeration, and service stop/delete capability are always required regardless of which ransomware family is executing. This pattern has remained consistent across all major ransomware families from 2021 to present, with kill lists expanding but the core behavior unchanged.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Prerequisites (Environmental)

• ✓ Admin or SYSTEM privileges already established on target system
• ✓ Target security, backup, and database services are running (cannot stop what is not running)

Attack Chokepoints (3 invariant stages — click to expand)

Each stage is an invariant condition the attacker must satisfy — regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1

Service Enumeration

Research Baseline

Actor enumerates running services to build the kill list via sc query, Get-Service, wmic, or equivalent

Ransomware cannot stop what it cannot find — service enumeration precedes every observed kill sequence across all documented families; sc.exe stop and delete require Admin or SYSTEM privileges, so no privilege escalation means immediate failure before enumeration can complete

• Sysmon Event ID 1 (sc.exe query / wmic service get / Get-Service)
• Windows Security Event ID 4688 (Process Creation)

View rule →

2

Service Stop and Disable

Hunt Active Hunt

Security, backup, and database services are stopped in rapid succession via sc.exe, net stop, taskkill, or WMI StopService — multiple services within a short window

Files locked by running services cannot be encrypted — stop must precede encryption in every observed ransomware family without exception

• Windows System Event ID 7036 (Service State Change — stopped)
• Windows System Event ID 7040 (Service Start Type Changed — disabled)
• Sysmon Event ID 1 (sc.exe / net.exe / taskkill.exe process creation)

View rule →

⚠ Bypass risk: Purpose-built EDR killers (BYOVD drivers, EDRKillShifter) bypass service-stop detection by killing the EDR process at kernel level — monitor Sysmon EID 6 for suspicious driver loads immediately before bulk service termination

3

Service Deletion

Analyst SOC Alert

Stopped services are deleted or permanently disabled to prevent automatic restart during the encryption phase

Without deletion, Windows service recovery policies restart stopped services and interfere with encryption — deletion is confirmed across all major documented families

• Sysmon Event ID 1 (sc.exe delete / sc.exe config start= disabled)
• Windows System Event ID 7036 (service removed)

View rule →

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

BlackBasta Inactive

2022

Collapsed February 2025 after internal chat logs leaked; members migrated to CACTUS and SafePay

Targets AV, EDR, Veeam backup, SQL databases; avg TTR 6-12 hours; collapsed February 2025 after internal Matrix chat logs (196k messages) leaked by disgruntled member; former members migrated to CACTUS and SafePay

Source →

Alphv/BlackCat Defunct

2021

FBI-disrupted December 2023; exited via scam after $22M Change Healthcare ransom

Targets Sophos, Defender, VSS, SQL; cross-platform (Windows and Linux/ESXi); FBI disruption December 2023; exited via scam March 2024 after $22M Change Healthcare ransom — leadership withheld affiliate commissions and shut down infrastructure

Source →

Akira Active

2023

Prioritizes Defender and backup agents; targets VPN appliances for initial access

Qilin Active

2022

Rebranded from Agenda; surged with NHS/Synnovis attack June 2024

Originally tracked as Agenda (Golang); rebranded to Qilin and rewrote in Rust in 2022; fully operational RaaS by February 2023; targets EDR, Veeam, databases; VMware ESXi variant active; surged to prominence with NHS/Synnovis attack June 2024

LockBit 3.0 Severely Disrupted

2022

Operation Cronos seized 28 servers and 1,000+ decryption keys; significantly disrupted

Comprehensive kill list (50+ services); Group Policy abuse for domain-wide deployment; Operation Cronos (February 2024) seized 28 servers, source code, and 1000+ decryption keys — significantly reduced operational capacity

Source →

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify security or backup service state changes (stopped)

Log Sources

• Windows System Event ID 7036 (Service State Change)
• Windows System Event ID 7040 (Service Start Type Change)

FP Rate: High

Use Case: Baseline service stop frequency and patterns; identify maintenance windows vs. anomalies

Detection Logic

Event ID: 7036 Service Name: Contains "sophos" OR "defender" OR "veeam" OR "backup" OR "antivirus" State: Stopped

Sigma Rule — Research Level

View on GitHub Download

title: Security or Backup Service Stopped
id: b4c8d0e2-f4a6-4b8c-0d2e-2f4a6b8c0d2e
status: experimental
description: >
  Detects security product and backup service state changes to "stopped".
  Research-level rule for the ransomware service manipulation chokepoint.
  Establishes a baseline of how often security and backup services stop in the
  environment (maintenance windows, updates, reboots) to tune higher-fidelity
  detection. High false positive rate expected.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.research
logsource:
  product: windows
  service: system
detection:
  selection_event:
    EventID: 7036
    # "The X service entered the stopped state."
    Message|contains: 'entered the stopped state'
  selection_security_services:
    Message|contains:
      # Sophos
      - 'Sophos'
      - 'sophos'
      # Microsoft Defender
      - 'WinDefend'
      - 'Windows Defender'
      - 'Sense'
      - 'WdNisSvc'
      # Generic AV/EDR patterns
      - 'Antivirus'
      - 'antivirus'
      # Backup services
      - 'Veeam'
      - 'veeam'
      - 'Volume Shadow Copy'
      - 'VSS'
      - 'wbengine'
      - 'Acronis'
      - 'acronis'
  condition: selection_event and selection_security_services
falsepositives:
  - System reboots (all services stop)
  - AV/EDR product updates (service restarts)
  - Maintenance windows (planned service stops)
  - Backup service completion cycles (Veeam, etc. stop between jobs)
level: low

Goal: Service stop + delete combination for security or backup services in rapid succession

Log Sources

• Windows System Event ID 7036 (Service State Change)
• Windows System Event ID 7040 (Service Start Type Change)
• Sysmon Event ID 1 (Process Creation for sc.exe, net.exe)

FP Rate: Medium

Use Case: Hunt for ransomware preparation activity; identifies pre-encryption service manipulation

Detection Logic

Process: sc.exe OR net.exe OR powershell.exe OR taskkill.exe CommandLine: "stop" AND (service keyword in: sophos, defender, veeam, backup, acronis, mssql, mysql) Within 60 seconds: Same or related service: "delete" OR "disabled" via sc.exe OR: 3+ security/backup services stopped within 5-minute window from same process/session

Sigma Rule — Hunt Level

View on GitHub Download

title: Multiple Security or Backup Services Stopped or Deleted in Rapid Succession
id: c5d9e1f3-a5b7-4c9d-1e3f-3a5b7c9d1e3f
status: experimental
description: >
  Detects sc.exe, net.exe, or taskkill.exe used to stop or delete security/backup
  services, with specific focus on service deletion within 60 seconds of a stop
  command (a strong indicator of ransomware preparation). Also catches rapid-fire
  service stops targeting multiple services within a 5-minute window.
references:
  - https://attack.mitre.org/techniques/T1562.001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  selection_stop_tools:
    Image|endswith:
      - '\sc.exe'
      - '\net.exe'
      - '\net1.exe'
      - '\taskkill.exe'
  # Service stop commands targeting security/backup services
  selection_stop_action:
    CommandLine|contains:
      - ' stop '
      - ' delete '
      - '/IM '  # taskkill /IM
  selection_security_targets:
    CommandLine|contains:
      # Sophos
      - 'Sophos'
      - 'sophos'
      - 'SAVService'
      - 'SophosFileScanner'
      # Windows Defender
      - 'WinDefend'
      - 'Sense'
      - 'WdNisSvc'
      - 'WdFilter'
      - 'MsMpEng'
      # Veeam
      - 'Veeam'
      - 'veeam'
      # Volume Shadow Copy
      - 'VSS'
      - 'vss'
      - 'wbengine'
      # SQL / Database
      - 'MSSQL'
      - 'SQLWriter'
      - 'MySQL'
      - 'postgresql'
      # Acronis
      - 'Acronis'
      - 'acronis'
      # Generic backup patterns
      - 'backup'
      - 'Backup'
  condition: selection_stop_tools and selection_stop_action and selection_security_targets
falsepositives:
  - Planned maintenance by system administrators (compare against change management records)
  - AV/EDR product uninstallation during software upgrade cycles
  - IT operations during system decommissioning
level: medium

Goal: Network logon + bulk service termination targeting specific security/backup services within a tight window

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4624 (Logon)
• Windows System Event ID 7036 (Service State)
• Windows System Event ID 7040/7045 (Service Config)

FP Rate: Low

Use Case: SOC alerting; ransomware pre-encryption detection with minimal time to respond

Detection Logic

Source: Network Logon (4624, LogonType 3) OR local admin session Process: sc.exe OR net.exe OR taskkill.exe Services stopped (5 or more within 10-minute window), targeting:
  Security: SophosFileScanner OR SAVService OR WinDefend OR Sense OR MsMpEng
  Backup: Veeam* OR VeeamDeploymentService OR VSS OR wbengine OR *acronis*
  Database: MSSQL* OR SQLWriter OR MySQL* OR postgresql*
Service delete: Attempted within 2 minutes of service stop Context: After-hours activity (outside 08:00-18:00 local) OR unusual source IP

Sigma Rule — Analyst Level

View on GitHub Download

title: Ransomware Pre-Encryption — Bulk Service Termination Targeting Sophos File Scanner
id: d6e0f2a4-b6c8-4d0e-2f4a-4b6c8d0e2f4a
status: experimental
description: >
  High-fidelity detection for ransomware pre-encryption activity. Detects sc.exe
  stopping the Sophos File Scanner service (SophosFileScanner) followed by service
  deletion — a specific TTP observed in Alphv/BlackCat, BlackBasta, and LockBit
  campaigns. This combination of stop + delete targeting a named security service
  via a network logon session is a very strong pre-encryption indicator.
  Inspired by the detection iteration demonstrated in the "Detection Chokepoints"
  talk (BSidesSLC / Huntress).
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
  - https://www.mandiant.com/m-trends
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc_stop:
    Image|endswith: '\sc.exe'
    CommandLine|contains|all:
      - 'stop'
      - 'SophosFileScanner'
  selection_sc_delete:
    Image|endswith: '\sc.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'SophosFileScanner'
  condition: selection_sc_stop or selection_sc_delete
falsepositives:
  - Sophos product uninstallation by authorized IT staff
  - Sophos version upgrade process (stop old, install new)
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (5 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2024-Q3

Purpose-built EDR killer tooling becomes standard

Change: RansomHub ships EDRKillShifter; DeadLock embeds a weaponized Baidu driver; ~25% of 2024 ransomware attacks incorporated purpose-built EDR disablement.

Detection impact: Cannot rely on known-bad driver hashes alone; monitor for driver load events (Sysmon EID 6) of unsigned or recently signed drivers immediately before service manipulation

2024-Q2

ESXi hypervisor service targeting increases

Change: VM-based service disruption targets vmware-hostd, vpxa, vsanmgmtd; ESXi-specific logging required.

Detection impact: ESXi-specific logging (vSphere/vCenter) required; endpoint detection insufficient

2023-Q4

Backup services prioritized ahead of AV/EDR in kill sequence

Change: Veeam, Acronis, and Windows Backup targeted before AV/EDR; backup service monitoring becomes highest-priority signal.

Detection impact: Backup service monitoring becomes highest priority signal

2022-Q3

Multi-vendor EDR evasion; kill lists expand to 50+ security products

Change: Kill lists expand to 50+ security products covering all major AV/EDR; threshold-based detection required.

Detection impact: Cannot rely on specific product name matches; threshold-based detection required

2021-Q2

Database services added to kill lists

Change: SQL Server, MySQL, and PostgreSQL services added to kill lists to release file locks before encryption.

Detection impact: Database service monitoring becomes a required detection component

Raw Log Samples (5 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 1

Hunt Analyst

sc.exe used to stop a backup service - first service in rapid bulk-stop sequence

EventID: 1 (Process Create)
UtcTime: 2024-06-17 22:11:03.447
ProcessId: 5532
Image: C:\Windows\System32\sc.exe
CommandLine: sc  stop  VeeamBackupSvc
ParentImage: C:\Windows\System32\cmd.exe

Windows Event Log EID 7036

Research Hunt Analyst

Veeam backup service stopped as part of ransomware pre-encryption service kill

EventID: 7036 (The service entered the stopped state)
TimeCreated: 2024-06-17T22:11:03.8834120Z
Channel: System
param1: Veeam Backup Service
param2: stopped

Sysmon EID 1

Hunt Analyst

sc.exe disables service to prevent automatic restart

EventID: 1 (Process Create)
UtcTime: 2024-06-17 22:11:04.112
ProcessId: 5540
Image: C:\Windows\System32\sc.exe
CommandLine: sc  config  VeeamBackupSvc  start=  disabled
ParentImage: C:\Windows\System32\cmd.exe

Windows Event Log EID 7040

Hunt Analyst

Backup service start type changed to disabled - prevents auto-restart

EventID: 7040 (The start type of the service was changed)
TimeCreated: 2024-06-17T22:11:04.2201830Z
Channel: System
param1: Veeam Backup Service
param2: disabled

Sysmon EID 1

Hunt Analyst

Service deleted to remove backup infrastructure entirely

EventID: 1 (Process Create)
UtcTime: 2024-06-17 22:11:07.883
ProcessId: 5548
Image: C:\Windows\System32\sc.exe
CommandLine: sc  delete  VeeamBackupSvc
ParentImage: C:\Windows\System32\cmd.exe

Emulation Script (click to expand)

⚠ Lab use only. Requires Administrator. Creates dummy test services. Optionally targets VSS. Lab VM only.

powershell ATT&CK: T1562.001 Simulates bulk service stop, disable, and delete pattern used by ransomware pre-encryption

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1562.001 / T1489 — Impair Defenses / Service Stop
# Simulates ransomware pre-encryption steps: VSS deletion and backup service termination.

[CmdletBinding()]
param(
    [int]$TargetCount = 3,
    [switch]$TargetVss,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

$ServicePrefix = 'RansomTestSvc'

function Remove-Artefacts {
    for ($i = 1; $i -le $TargetCount; $i++) {
        $svcName = "$ServicePrefix$i"
        if (Get-Service -Name $svcName -ErrorAction SilentlyContinue) {
            sc.exe stop $svcName 2>&1 | Out-Null
            sc.exe delete $svcName 2>&1 | Out-Null
        }
    }
    Write-Ok "All test services cleaned up"
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Error "Administrator privileges required. Rerun as Administrator."
    exit 1
}

Write-Host ""
Write-Host "=== Ransomware Service Manipulation Emulation ===" -ForegroundColor Magenta
Write-Host "    T1562.001 + T1489 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Creating $TargetCount dummy test services"
Write-Verbose "  These stand in for real targets: VeeamBackupSvc, WinDefend, VSS, SQLWriter"

# Dummy binary path (does not exist — service won't start, but can be stopped/deleted)
$DummyBin = 'C:\Windows\Temp\ransom_test_svc.exe'
for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"
    $result = sc.exe create $svcName binPath= $DummyBin start= auto `
        displayname= "Ransom Test Service $i (SAFE TO DELETE)" 2>&1
    Write-Ok "Created: $svcName — $result"
}

Start-Sleep -Milliseconds 300

Write-Step "Step 2/3 — Bulk service stop + disable (WEL 7036, 7040, Sysmon EID 1)"
Write-Verbose "  Pattern: 3+ services stopped within 5-min window = Hunt trigger"
Write-Verbose "  Pattern: 5+ services stopped = Analyst threshold"

$StoppedCount = 0
for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"

    # Stop (generates WEL 7036)
    $stopOut = sc.exe stop $svcName 2>&1
    Write-Ok "sc stop $svcName`: $stopOut"
    $StoppedCount++

    # Disable (generates WEL 7040)
    $disableOut = sc.exe config $svcName start= disabled 2>&1
    Write-Ok "sc config $svcName start=disabled: $disableOut"

    Start-Sleep -Milliseconds 200   # rapid but observable
}

Write-Ok "Bulk stop complete: $StoppedCount services stopped in rapid succession"
if ($StoppedCount -ge 5) {
    Write-Ok "Analyst threshold exceeded ($StoppedCount >= 5 services)"
} elseif ($StoppedCount -ge 3) {
    Write-Ok "Hunt threshold met ($StoppedCount >= 3 services)"
}

Start-Sleep -Milliseconds 300

if ($TargetVss) {
    Write-Step "Step 2b — Stopping VSS and wbengine (Volume Shadow + Windows Backup)"
    Write-Warn "Stopping VSS temporarily. Will re-enable. No shadow copies will be deleted."

    sc.exe stop VSS 2>&1 | ForEach-Object { Write-Ok "VSS: $_" }
    sc.exe stop wbengine 2>&1 | ForEach-Object { Write-Ok "wbengine: $_" }

    Start-Sleep -Milliseconds 500

    sc.exe start VSS 2>&1 | Out-Null
    sc.exe start wbengine 2>&1 | Out-Null
    Write-Ok "VSS + wbengine re-enabled"
}

Write-Step "Step 3/3 — Service delete (sc delete — ransomware persistence removal step)"
Write-Verbose "  Combined with bulk stop: meets Analyst rule criteria"

for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"
    $deleteOut = sc.exe delete $svcName 2>&1
    Write-Ok "sc delete $svcName`: $deleteOut"
    Start-Sleep -Milliseconds 100
}

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  WEL 7036 — service name matches security/backup keyword list"         -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 1 (sc.exe stop + delete) + WEL 7036/7040 within 60s window"      -ForegroundColor DarkYellow
Write-Host "  [Analyst]   $TargetCount+ services stopped in 10 min + service deletes"                      -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Note: Analyst rule checks service NAMES against a security/backup list." -ForegroundColor DarkGray
Write-Host "  'RansomTestSvc' names may not match — use -TargetVss for real target names (VSS/wbengine)" -ForegroundColor DarkGray
Write-Host "  For highest fidelity, target WinDefend + VSS + MSSQL names (in lab with those services)" -ForegroundColor DarkGray
Write-Host ""

OSINT Sources

VirusTotal Intelligence behavior_processes:"sc.exe" tag:ransomware

Requires VT Intelligence subscription; pivot to the behavior tab to extract the full service kill list for each ransomware family and feed service names into the analyst Sigma rule.

GitHub Code Search "net stop" "sc delete" ransomware path:*.ps1 OR path:*.bat OR path:*.txt

Finds researcher-published kill lists extracted from decompiled ransomware samples; update the analyst rule's service name list whenever new families are documented.

ANY.RUN Public Feed

Public ransomware task feed; filter to recent submissions and inspect process trees to see sc.exe and net.exe child process chains without a local sandbox.

Ransomware.live

Real-time ransomware group activity tracker; use to identify currently active families and prioritize hunting for their service kill lists.

Intel Resources

• Kaspersky Common TTPs of Modern Ransomware — Comprehensive analysis of service kill lists across major ransomware families
• MITRE ATT&CK — T1562.001 Impair Defenses: Disable or Modify Tools — Technique definition, procedure examples, and detection guidance for disabling or modifying security tools
• MITRE ATT&CK — T1489 Service Stop — Technique definition, procedure examples, and detection guidance for stopping services to impair system recovery

Related Chokepoints

Remote Execution Tools (HackTools) HIGH ClickFix Techniques HIGH